Cybersecurity teams have confronted a rising threat from a novel “EDR killer” payload in recent months, commonly referred to as AVKiller, which has been observed disabling endpoint defenses to facilitate the deployment of ransomware.
First detected in mid-2024, this tool leverages the HeartCrypt packer-as-a-service to obscure its true functionality and slip past traditional static signature checks.
Attackers typically deliver AVKiller via a dropper that masquerades as a legitimate utility—often by injecting malicious code into signed executables like Beyond Compare.
Upon execution, AVKiller decodes its heavily protected payload in memory, hunts for specific security drivers, and proceeds to terminate associated processes, creating a clear path for subsequent ransomware encryption.
Sophos analysts identified the initial AVKiller samples targeting Sophos products, and later variants expanded their focus to include a broad spectrum of vendors such as Bitdefender, Kaspersky, SentinelOne, and Microsoft Defender.
The tool searches for a randomly named driver file (for example, mraml.sys), loads it if present, and then terminates running processes or services associated with known antivirus and EDR solutions.
.webp "HeartCrypt-Packed EDR Killer Tools ‘AVKiller’ Actively Used in Ransomware Attacks 3")
If the driver is missing, AVKiller creates a similarly named service and aborts with an error message, “Failed to get device,” ensuring that defenders encounter limited forensic artifacts.
The impact of AVKiller has been significant. In one high-profile incident, the RansomHub group deployed the payload against a large enterprise network, successfully disabling dynamic shellcode detection and device control mechanisms before unleashing file encryption.
Within minutes, crucial servers were compromised, and recovery efforts were hampered by the absence of active EDR protection.
Analysis of telemetry data revealed that AVKiller executed multiple SysCall-blocking routines, preventing live response tools from injecting into protected processes.
This level of sophistication underscores the growing trend of adversaries investing in specialized off-the-shelf tools to neutralize security operations.
Infection Mechanism and Evasion Tactics
The infection begins with a dropper executable packed by HeartCrypt, designed to evade static AV signatures.
.webp "HeartCrypt-Packed EDR Killer Tools ‘AVKiller’ Actively Used in Ransomware Attacks 4")
Once in memory, AVKiller employs a custom loader that decrypts the embedded payload using an XOR routine.
The loader enumerates loaded drivers and searches for a five-letter randomly generated name, hardcoded within the decoded payload.
When the target driver is loaded, AVKiller issues direct system calls to terminate critical security processes:-
HANDLE hDevice = CreateFileW(L"\\.\mraml", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE) {
fprintf(stderr, "Failed to get devicen");
exit(EXIT_FAILURE);
}
NtTerminateProcess(hProcess, STATUS_SUCCESS);By bypassing user-mode API hooks and invoking NtTerminateProcess directly, AVKiller sidesteps common EDR interception points.
The driver itself is digitally signed with a compromised certificate—ranging from Changsha Hengxiang Information Technology Co., Ltd. to Fuzhou Dingxin Trade Co., Ltd.—both of which expired years ago but remain unrevoked in kernel verification lists.
This technique allows the driver to load without raising immediate suspicion from kernel integrity checks.
Upon successful termination of security services, the dropper triggers the ransomware payload—often linked to families such as Blacksuit, MedusaLocker, and INC—completing the kill chain.
AVKiller’s modular design permits rapid updates to target lists and packing layers, indicating active development and sharing among competing ransomware groups.
As defenders adapt, understanding and intercepting the AVKiller loader’s system-call routines and driver-loading behavior remain critical to thwarting these sophisticated attacks.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
