Another Devious Antivirus Killer Tool Has Been Found - So Make Sure You're Protected

Security researchers at Trend Micro have uncovered a custom variant of the open-source tool RealBlindingEDR, which has been found in use by hackers to disable antivirus software on compromised devices. This malicious tool comes with a hardcoded list of antivirus company names, allowing it to target specific security solutions and render them ineffective.

When deployed on a device, the RealBlindingEDR tool scans driver metadata for these antivirus company names and disables kernel-level hooks/callbacks if found. This effectively "blinds" detection engines, making it challenging for antivirus software to detect and block malicious activity. The researchers also discovered that hackers can silently uninstall antivirus programs altogether, creating an opening for the deployment of stage-two malware.

The custom tool was used by a hacking collective called Crypto24, a nascent ransomware group first spotted in September 2024. While the identity of Crypto24 remains unknown, researchers believe the group consists of former members from other defunct hacking collectives due to their high level of skill and experience.

Once initial access is gained, persistence established, and antivirus roadblocks removed, Crypto24 typically deploys two pieces of malware: a keylogger and an encryptor. All stolen secrets are then exfiltrated into a Google Drive using a custom tool. The group has successfully targeted numerous large organizations in the United States, Europe, and Asia, primarily in finance, manufacturing, tech, and entertainment sectors.

Protecting against such attacks is crucial, and there are several measures that can be taken to prevent antivirus protection from being disabled. Companies can opt for a layered defense strategy, using a reputable antivirus with tamper protection, enabling real-time protection and firewalls, and utilizing a separate anti-malware tool that works alongside an AV.

By implementing these security measures, individuals and organizations can significantly reduce the risk of falling prey to such sophisticated attacks. It is essential to stay vigilant and up-to-date with the latest security threats and best practices to ensure protection against emerging malware and cyber threats.

Stay Protected: Essential Security Measures

Layered Defense Strategy: Implement a multi-layered defense approach by combining antivirus software with other security tools, such as firewalls and intrusion detection systems.

Tamper Protection: Choose an antivirus solution with built-in tamper protection to prevent hackers from modifying or disabling the software.

Real-Time Protection: Enable real-time protection on all devices to detect and block malicious activity as soon as it occurs.

Firewalls: Configure firewalls to restrict incoming and outgoing network traffic, making it more difficult for hackers to establish a connection with compromised systems.

Anti-Malware Tools: Use separate anti-malware tools that can work alongside antivirus software to provide additional protection against emerging threats.

By following these essential security measures, individuals and organizations can significantly reduce the risk of falling prey to sophisticated attacks like those carried out by Crypto24. Stay informed about the latest security threats and best practices to ensure ongoing protection against emerging malware and cyber threats.