Killer Ultra malware has been found to be targeting endpoint detection and response (EDR) tools from Symantec, Microsoft, and Sentinel One in ransomware attacks.
Killer Ultra gathers all Windows event logs, clears them entirely, and acquires kernel-level permissions.
ARC Labs has classified this malware as “Killer Ultra.” Killer Ultra uses the well-known Zemana driver to kill EDR/AV processes, but experts have found other features that indicate It can be used for purposes other than weakening defenses.
Vulnerability Exploitation
Killer Ultra includes a vulnerable version of Zemana AntiLogger that exploits CVE-2024-1853 for arbitrary process termination.
A vulnerability related to Arbitrary Process Termination, identified as CVE-2024-1853, was discovered in Zemana AntiLogger v2.74.204.664.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
This vulnerability allows an attacker to terminate processes arbitrarily, including vital security processes like antivirus or EDR software. It exploits the 0x80002048 IOCTL code of the Zemana AntiLogger drivers.
A threat actor going by the alias “SpyBoy” added this vulnerability to a tool called “Terminator,” which was advertised as an “EDR killer” tool in May 2023.
Terminator uses the insecure Zemana AntiLogger driver to exploit CVE-2024-1853 and disable security solutions on the systems it targets.
On Russian hacker forums, SpyBoy advertised and offered this tool, charging $300 for specialized AV bypasses and $3000 for an all-in-one solution.
Technical Capabilities Of Killer Ultra Malware
Killer Ultra operates with a high level of sophistication, leveraging kernel-level permissions to effectively neutralize EDR tools. The malware’s primary techniques include:
- Process Termination: Killer Ultra can terminate processes associated with common security tools, rendering them ineffective.
- Event Log Clearing: By clearing event logs, the malware makes it difficult for security teams to trace its activities.
- Driver Exploitation: The malware exploits vulnerabilities in drivers to gain deeper access and control over the infected systems.
- Persistence Mechanisms: It employs various methods to maintain persistence on compromised systems, ensuring it can survive reboots and other attempts to remove it.
- Indicator Removal: Killer Ultra is adept at removing indicators of compromise, helping it evade detection by traditional security measures.
- Post-Exploitation Capabilities: The malware potentially includes features for further exploitation after initial compromise, such as data exfiltration or lateral movement within networks.
“Killer Ultra obtains Kernel level permissions and targets endpoint security tools: Symantec Antivirus, Microsoft Windows Defender, SentinelOne, and Microsoft Defender for Endpoint,” reads Binary Defense’s post.
After installing the driver and starting the service, Killer Ultra disables security products on a predefined list. The list of security tools is defined by XOR process names encoded by 3.
When the malware detects a match in the process name, Killer Ultra checks the active processes and ends the process with kernel-level permissions.
Also, by modifying EtwEventWrite’s privileges within the NTDLL, Killer Ultra seeks to deceive endpoint security tools further and may prevent ETW events linked to Killer Ultra operations from being written.
Although ARC Labs confirmed the malware’s ability to carry out these tasks, it is unclear if this really works to hide the malware’s actions from endpoint security systems.
To prevent security programs from running again after a system reboot, Killer Ultra generates two scheduled tasks titled “Microsoft Security ” and “Microsoft Maintenance” to execute at system startup.
Both tasks are configured to launch Killer Ultra from the following path: C:ProgramDataMicrosoftSystemMaintainenceMaintainence.exe.
Killer Ultra has a subroutine called StartAddress that is specified in the main function. Its purpose is to eliminate compromise indications by using the “wevtutil.exe” utility to remove the Windows Event Logs.
Killer Ultra invokes “wevtutil.exe” through “cmd.exe” to run through and delete all of the Windows Event Logs.
“Inactive functions within the code that could enable Killer Ultra to operate as a post-exploitation tool. While these capabilities are not currently active, these code sections could be activated in future versions of the malware”, researchers warn.
This analysis of Killer Ultra will help organizations comprehend all of its features and offer tactical threat intelligence to guide their detection and response plans.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo