An Inside Look at the Black Market for EDR Killers on the Dark Web

Endpoint detection and response (EDR) evasion tools have become increasingly popular with threat actors, as they innovate new methods to bypass the agents organizations deploy on their managed devices to spot malware and other malicious activity.

Notable ransomware actors that have weaponized EDR bypass tools include FIN7 and Black Basta. July 2024 research from SentinelOne revealed that the “AvNeutralizer” (aka AuKill) EDR bypass tool was used in ransomware campaigns in which the two threat groups collaborated in 2022. More alarming, this tool is no longer exclusive to Black Basta.

Beginning in 2023, SentinelOne “observed a peak in the usage of updated versions of AvNeutralizer by multiple ransomware groups,” according to their report. Another EDR bypass tool popular with threat actors is ‘spyboy’s Terminator kit. A 2023 YouTube video produced by CrowdStrike evaluated this tool and assessed that it was a Bring Your Own Vulnerable Driver (BYOVD) attack kit.

In BYOVD attacks, “threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, to achieve successful kernel-mode exploitation and disable defense solutions,” according to Cyber News.

Beyond BYOVD-based impairment methods, another popular dual-purpose tool that is often abused by threat actors to evade EDR sensors is Brute Ratel. Brute Ratel is a “customized command and control center that was created for red team and adversary simulation. Brute Ratel has a similar framework to Cobalt Strike, and is often deployed as a second-stage payload for further malicious activity,” according to Blackpoint Cyber.

While Brute Ratel was originally developed for legitimate penetration testing, the tool is frequently “abused by threat actors due to the ability to blend into normal traffic and the ability to provide persistent remote access,” according to Blackpoint Cyber.

Specifically, Brute Ratel is designed to avoid detection by EDR and antivirus (AV) software and “its effectiveness is likely a leading reason for the attractiveness of the tool for threat groups,” according to Blackpoint Cyber.

Given how effective Black Basta and other threat actors have been in disabling EDR agents, the black market for these evasion kits is flourishing. ExtraHop conducted independent research on the Dark Web to gain a better understanding of the cybercriminal market for EDR evasion tools. We combed the most popular cybercriminal forums–XSS, Exploit.In, and RAMP–and scraped the latest EDR evasion chatter.

Far from an abstract or academic threat, the Dark Web postings scraped by our analysts demonstrate that there is a thriving market for EDR bypass tools. Booming innovation in and demand for this cybercriminal product niche further underscore why cybersecurity strategies that rely solely on EDR defenses are at high risk of failure.

The Black Market for EDR Evasion Tools

EDR evasion tools are typically sold as subscription services, starting as low as $350 per month or $300 for a single bypass. The low price point makes these tools highly accessible to ransomware affiliates and other threat actors, including those with lower levels of technical proficiency.

On the higher end, ExtraHop noticed several recent listings where threat actors priced their EDR bypass offerings for $7,500–and as high as $10,000 for a listing that packaged EDR evasion capabilities within an encryption locker. In the XSS post below, published on July 15, 2024, threat actor ‘Baphomet’ sells their advanced “AV/EDR Kill Process Software” for $7,500.

Baphomet AV/EDR Kill Process Software listing

Source: XSS forum

Baphomet provides the following technical information about their EDR bypass tool:

• The product is compatible with Windows OS (including Windows Server, Windows 10, Windows 11, and others).

• Protected processes can be deleted without any warnings or alarms.

• Administrator privileges are required.

• Encryption or obfuscation is not necessary. The service is clean and does not require any additional work.

• The product is signed by a trusted vendor, not by a random certificate.

• Unlimited use: The software is provided with source code, granting you complete control. There are no limitations on the number of AV/EDR vendors. Once purchased, you can use it freely.

• The software is not blacklisted or recognized as malware.

• The tool is user-friendly and easy to use.

• A system reboot is not required. In the event of a reboot or shutdown, normal operations will resume. However, it will be necessary to relaunch the software.

• Depending on the AV/EDR system, all processes might need to be disabled/killed. For certain vendors, it’s not necessary to kill every single process.

• Actual checks are done with 500-750 mS. It can be switched to 1 mS without issues. The process won’t respawn.

Baphomet AV/EDR Kill Process Software product description

Source: XSS forum

KernelMode

In an earlier XSS listing from January 15, 2024, high-reputation threat actor ‘KernelMode’ advertises their “av/edr disabler.”

KernelMode AV/EDR disabler product description

Source: XSS forum

The listing explains that the main advantage of this tool is that “AV/EDR SCANNER processes are not terminated, i.e. EXTERNALLY the security solution continues to function, but IN FACT file/memory scanning is not performed. The functionality has been tested on Windows 7sp1-11, Windows Server 2008 r2 - 2022 with the following AV/EDR: Bitdefender, CrowdStrike, Cylance, Palo Alto Networks, Kaspersky, DrWeb, ESET, Avast, Avira, Symantec, Sophos, Sentinel One, TrendMicro, Webroot, Windows Defender 10/11.”

“Monthly support for each AV/EDR is $1,500, minimum order is $7,500. If the AV/EDR you need is not on the list, write to us, we will try to add it. I am recruiting no more than 7 clients. A guarantor is welcome.

“Before concluding a deal, I provide a video demonstration with the launch of mimikatz and current AB\EDR scans from scanner.to.”

KernelMode emphasizes that their tool does not terminate the EDR application process. Instead, this threat actor’s disabler allows the AV/EDR solution to continue functioning, while subverting application file and memory scanning processes.

It is also noteworthy that KernelMode’s pricing schedule is identical to Baphomet’s. This similarity could just be a feature of competitive pricing in a free and open black market. However, it is also possible that Baphomet and KernelMode are selling the same tool, while creating different avatars and product names to create the illusion of product heterogeneity.

In any event, KernelMode is a prolific EDR bypass vendor, with product listings discoverable on XSS, RAMP, Exploit.in, and likely other cybercriminal forums and marketplaces.

Bug

At the highest price point ExtraHop could find in the cybercriminal hubs it perused is the source code for a cryptor (locker) being promoted by threat actor ‘Bug’. The target market for this source code is obviously ransomware operators. Notably, Bug writes in their XSS forum post, dated June 16, 2024, that their “cryptor has a built-in bypass of AB and EDR emulation through syscalls and removal of hooks on system DLLs, ETW and AMSI bypass is implemented. Completely original code.”

Bug crypto source code product description

Source: XSS forum

This listing is significant because it illustrates how some ransomware actors encode EDR bypass functionality into their actual encryption lockers, a technique associated with threat actors like Fin7 and Black Basta.

mkdele

Another interesting listing is ‘mkdele’s “Disable Antivirus/EDR” post on the XSS forum from April 2022. This threat actor claimed their product disables most AV/EDR tools, including:

Sentinel One, Sophos, Cisco, Symantec, Trend Micro, McAfee, Kaspersky, Malwarebytes, Windows defender, Avast, Webroot, ESET, BitDefender, CrowdStrike, Panda, F-Secure, AhnLab, Cylance, G Data, Cortex, Carbon Black, Check Point

Mkdele Disable Antivirus/EDR product description

Source: XSS forum

Mkdele is listing their product for $2,000 and up. While mkdele has been marketing their AV/EDR bypass tool for over two years, the threat actor’s listing notes that they most recently released a product update on 7/17/2024. Since its inception, the product has received positive reviews from numerous XSS forum members.

EDR Bypass Techniques

Other insightful posts that we scraped related to EDR evasion discuss techniques like “attack decorrelation.”

Simplestop dumps their LSA Secrets

Source: XSS

In an XSS forum post titled “Dumping LSA Secrets: A Tale of Task Distribution,” threat actor ‘simplestop’ details a method for releasing Windows OS Local Security Authority encrypted key sets. These encrypted key sets are stored on a registry, which is “essentially a database that holds important settings for your computer,” according to consulting firm Wolf & Company, P.C. According to SentinelOne, LSA secrets store system sensitive data such as:

• Users passwords
• Internet Explorer passwords
• Service account passwords (services on the machine that require authentication with a secret)
• Cached domain password encryption key
• SQL passwords
• SYSTEM account passwords
• Account passwords for configured scheduled tasks
• Time left until the expiration of an unactivated copy of Windows

Therefore, attackers generally seek to dump these secrets to extract sensitive passwords and enumerate other system sensitive data. In chapter four of their guide, simplestop explains that the technique for EDR bypass they presented was “not blocked or detected as malicious by any EDR/AV” for a simple reason: “attack decorrelation.”

According to simplestop, decorrelating actions means that instead of having one tool doing everything, “you should have several tools doing a simple task.” The threat actor proceeds to break down the "LSA secret dump" attack into three steps:

1. Getting the boot key (either using the previously mentioned binary, which only purpose is to query some registry key class values, or using the print method)

2. reg export the SAM and SECURITY branches, which can be done using reg.exe. Note that this export will not be blocked, because again, this is only reading the registry keys, and programs read registry keys all the time. If EDR had to track all these reads, I think the system would crash.

3. Decrypting the reg export results, as well as the bootkey. Since we have all the necessary materials, we can decrypt the secrets on the computer under our control. This allows us to not perform cryptographic operations on the target system, which reduces the likelihood of detection.

If a threat actor follows these steps, simplestop advises they will “get all the information needed to decrypt the secrets.” Furthermore, since they have conducted minimal operations on the system, EDR will not notice them, claims simplestop.

The last thought-provoking EDR bypass post scraped by ExtraHop doesn’t even involve an operational product or proof of concept. In an XSS post dated Jul 31, 2024, threat actor ‘BigBug’ asks forum members to rate their idea, “a private service for a small number of users, which would provide access to all popular EDR solutions.” In a nutshell, this concept is basically a virtual sandbox environment for malware developers to test their malicious software against a variety of leading EDR agents:

“- After paying for a subscription, the user gets access to a personal account

- In the account, you can select one or more EDR solutions

- By pressing a button, virtual machines with the selected EDRs are raised

- The user gets access to the virtual machines and can do whatever he wants”

BigBug floats an idea to create a virtual EDR bypass test environment for malware developers

Source: XSS

While BigBug still lacks a working proof of concept for their proposed EDR-bypass virtual sandbox service, this post illustrates the menacing potential of constantly evolving and increasingly professionalized adversarial innovation.

RevealX: Enforcing Ineludible Network Security

Given the persistent innovation exhibited by threat actors in their mission to evade discovery by EDR controls, enterprise security teams can no longer rely solely on endpoint-based detection or security information and event management (SIEM) tools.

RevealX™ network detection and response (NDR) empowers organizations with 360-degrees visibility and detection capabilities to stop attackers armed with the latest EDR bypass tools and terminator kits. RevealX monitors an organization’s network traffic, both north-south and east-west, and even encrypted network traffic–in real time, alerting security analysts when notable anomalies arise.

The platform conducts all NDR operations, while sitting out of band, ensuring that network performance is not degraded. RevealX captures transaction logs, netflow data, and full packets across more layers of the network (OSI layers 2-7) than competing NDR solutions, and can store this data for as long as 180 days to facilitate investigations and root-cause analysis.

Full packet capture (PCAP) fuels more accurate detections and accelerates response by providing richer context and metadata about what’s happening on an organization’s network. With RevealX, you can tell what every packet is doing anywhere on your network at any given time: where it’s going, where it came from, and what is being said across both sides of the conversation. This definitive level of detail is particularly helpful to organizations that need to comply with rigorous incident-reporting regulations.

In addition to PCAP and industry-leading protocol decryption coverage, RevealX applies cloud-based machine learning to network data to distinguish suspicious network behavior from normal traffic. Beyond behavior-based machine learning detections, RevealX provides four other layers of network-based detection, including network indicator detections, routinely exploited vulnerability detections, and emerging exploit and signature-based network malware detections through its intrusion detection system (IDS) module.

As attackers find increasingly inventive ways to disable EDR controls, an NDR tool like RevealX provides an essential next line of defense that cannot be evaded or disabled by threat actors.