New ‘BlackSanta' EDR Killer Spotted Targeting HR Departments
Summary:
Aryaka Threat Research has uncovered a sophisticated, year-long malware campaign operated by a Russian-speaking threat actor specifically targeting HR and recruitment personnel. The attack begins with a social engineering lure, typically a spear-phishing email containing links to download resume-themed ISO files, such as "Celine_Pesant.iso," from cloud storage services like Dropbox. Once the user mounts the ISO and executes a malicious Windows shortcut (.lnk) disguised as a PDF, a multi-stage infection chain is initiated. This chain utilizes LSB steganography to extract a PowerShell loader from an image file (image1.png) and employs DLL side-loading by using a legitimate SumatraPDF executable to load a tampered "DWrite.dll".
A central component of this campaign is "BlackSanta," a specialized EDR-killer module designed to programmatically neutralize antivirus and EDR protections. BlackSanta achieves this by performing a "Bring Your Own Vulnerable Driver" (BYOVD) attack, loading clean but exploitable kernel-mode drivers like RogueKiller Antirootkit and IObitUnlocker.sys to gain elevated system privileges. Before full execution, the malware conducts extensive environment fingerprinting—checking for hostnames, usernames, debuggers, and virtualization artifacts—and will immediately terminate if it detects a sandbox or a Russian/CIS-based locale. Once the defensive perimeter is silenced, the actor deploys additional payloads, such as information stealers targeting cryptocurrency wallets, via process hollowing to ensure persistence and stealthy data exfiltration.
Security Officer Comments:
The BlackSanta campaign highlights a critical vulnerability in "trusted" business processes. HR departments are a natural entry point because their daily operations require opening unsolicited attachments from external sources—a behavior usually flagged as high-risk for other departments. This threat is particularly potent because it does not just attempt to bypass security; it actively dismantles it. By using BYOVD tactics, the actor gains kernel-level privileges to terminate protected processes, effectively "clearing the runway" for the final payload.
Once BlackSanta terminates an EDR agent, the security operations center (SOC) loses all visibility into that endpoint, potentially allowing the actor to harvest credentials or exfiltrate data undetected for extended periods. The actor's use of geographic checks to avoid Russian and CIS-based systems further confirms their targeted operational security and intent to avoid local scrutiny. This campaign proves that an active EDR is not a guarantee of safety if the underlying system allows for administrative-level driver manipulation.
Suggested Corrections:
To defend against the BlackSanta campaign and similar defense-neutralization threats, organizations should implement a defense-in-depth strategy focused on endpoint hardening and behavioral monitoring:
Link(s):
https://www.bleepingcomputer.com/ne...-edr-killer-spotted-targeting-hr-departments/
Aryaka Threat Research has uncovered a sophisticated, year-long malware campaign operated by a Russian-speaking threat actor specifically targeting HR and recruitment personnel. The attack begins with a social engineering lure, typically a spear-phishing email containing links to download resume-themed ISO files, such as "Celine_Pesant.iso," from cloud storage services like Dropbox. Once the user mounts the ISO and executes a malicious Windows shortcut (.lnk) disguised as a PDF, a multi-stage infection chain is initiated. This chain utilizes LSB steganography to extract a PowerShell loader from an image file (image1.png) and employs DLL side-loading by using a legitimate SumatraPDF executable to load a tampered "DWrite.dll".
A central component of this campaign is "BlackSanta," a specialized EDR-killer module designed to programmatically neutralize antivirus and EDR protections. BlackSanta achieves this by performing a "Bring Your Own Vulnerable Driver" (BYOVD) attack, loading clean but exploitable kernel-mode drivers like RogueKiller Antirootkit and IObitUnlocker.sys to gain elevated system privileges. Before full execution, the malware conducts extensive environment fingerprinting—checking for hostnames, usernames, debuggers, and virtualization artifacts—and will immediately terminate if it detects a sandbox or a Russian/CIS-based locale. Once the defensive perimeter is silenced, the actor deploys additional payloads, such as information stealers targeting cryptocurrency wallets, via process hollowing to ensure persistence and stealthy data exfiltration.
Security Officer Comments:
The BlackSanta campaign highlights a critical vulnerability in "trusted" business processes. HR departments are a natural entry point because their daily operations require opening unsolicited attachments from external sources—a behavior usually flagged as high-risk for other departments. This threat is particularly potent because it does not just attempt to bypass security; it actively dismantles it. By using BYOVD tactics, the actor gains kernel-level privileges to terminate protected processes, effectively "clearing the runway" for the final payload.
Once BlackSanta terminates an EDR agent, the security operations center (SOC) loses all visibility into that endpoint, potentially allowing the actor to harvest credentials or exfiltrate data undetected for extended periods. The actor's use of geographic checks to avoid Russian and CIS-based systems further confirms their targeted operational security and intent to avoid local scrutiny. This campaign proves that an active EDR is not a guarantee of safety if the underlying system allows for administrative-level driver manipulation.
Suggested Corrections:
To defend against the BlackSanta campaign and similar defense-neutralization threats, organizations should implement a defense-in-depth strategy focused on endpoint hardening and behavioral monitoring:
- Restrict Driver Loading: Enable Hypervisor-Enforced Code Integrity (HVCI) and Microsoft's Vulnerable Driver Blocklist to prevent the loading of known exploitable drivers used in BYOVD attacks.
- Harden HR Workflows: Implement strict policies regarding container files; consider blocking or automatically sandboxing ISO and VHD files received via email or cloud storage links.
- Monitor Agent Health: Configure SIEM alerts for "Heartbeat Failure" or unexpected termination of security services, as BlackSanta specifically targets these for termination.
- Privilege Management: Enforce the principle of least privilege to ensure that HR personnel do not have the administrative rights required to load kernel drivers or modify sensitive registry keys like those for Windows Defender.
- Network Level Defense: Utilize Secure Web Gateways (SWG) to block communication with known malicious domains
Link(s):
https://www.bleepingcomputer.com/ne...-edr-killer-spotted-targeting-hr-departments/