It is a known fact that hackers use legitimate software in their attacks, whenever possible. Well, now we can add EDRSilencer to that list.
Earlier this week, cybersecurity researchers from Trend Micro published a new report, in which they claim to have observed EDRSilencer being deployed in cyberattacks. This tool, they say, was primarily designed for penetration testing, to be used by red teams as they simulate real-life cyberattacks and stress-test their networks against intruders.
Short for Endpoint Detection and Response Silencer, the tool was designed to interfere with, or disable, EDR solutions that are meant to monitor and detect suspicious activity on endpoints, such as computers or devices within a network. By neutralizing EDR defenses, attackers can carry out their malicious activities, such as data theft or system exploitation, without being detected.
Significant shift in tactics
Trend Micro said that crooks managed, with the help of EDRSilencer, to render EDR tools ineffective and stop them from sending telemetry, alerts, or other data, to their management controls. “The emergence of EDRSilencer as a means of evading endpoint detection and response systems marks a significant shift in the tactics employed by threat actors,” the researchers concluded.
According to BleepingComputer, EDRSilencer is an open-source tool inspired by MdSec NightHawk FireBlock. This is a proprietary penetration testing tool that detects running EDR processes and uses the Windows Filtering Platform (WFP) to monitor, block, or modify network traffic on IPv4 and IPv6 communication protocol.
EDRSilencer is capable of detecting and blocking 16 EDR tools, including Microsoft Defender, FortiEDR, SentinelOne, and many others.
This is not the first time legitimate pentesting tools are being used for nefarious purposes. Perhaps the best example of such practice is Cobalt Strike, a tool that is now generally considered malware, despite its original design being considered benign.
Via BleepingComputer