New Malware Surfaces to Terminate NGAVs/EDRs/XDRs

ThreatLocker has been aware of recent sophisticated attacks centered around disabling NGAVs/ EDRs/ XDRs capabilities.  

On May 28, 2023, a video materialized of an executable that allegedly terminated popular EDR and XDR tool, CrowdStrike.  

Here’s What We Know  

This alleged tool disables the tamper-proof functionality and terminates the on-premise agent. The tool’s author claims it works on the following vendors:  

• Windows Defender  
• SentinelOne  
• Sophos  
• CrowdStrike  
• Carbon Black 

• Cortex  
• Cylance  
• Kaspersky  
• ESET  
• AVAST  

• AVG Technologies 
• Symantec  
• McAfee  
• Bitdefender  
• Trend Micro  

• Panda Security 
• Malwarebytes  
• Check Point Software Technologies 
• TOPSEC 
• 360 Total Security  

• Aliyun  
• VIPRE 
• Webroot  
• Cybereason  

How ThreatLocker Stops It  

ThreatLocker’s endpoint protection platform is designed to block known and unknown threats. With Application Allowlisting, organizations operating in a Zero Trust Environment will automatically deny any executables unless a policy has explicitly been made to indicate otherwise. ThreatLocker customers who have accurately secured their environment will be protected from unauthorized executables that try to bypass their NGAV/EDR/XDR, as this software will not be permitted to run on the endpoint.   

As a best practice, ThreatLocker suggests users continually evaluate their allow list, removing unneeded and unused policies, and applying Ringfencing™ to every application possible, only permitting each application access to what it needs and nothing more.  

For assistance securing your endpoints, please contact the Cyber Hero Team. 

ThreatLocker cannot confirm the validity of this source or that this software is actively exploiting other tools. However, in the likelihood of these events, ThreatLocker Zero Trust Anti-malware policies will prevent the file from executing.  

Source: Reddit 

‍