Conclusion

In our ongoing efforts to monitor and mitigate emerging threats, we have observed based on our internal telemetry that certain threat actors are attempting to leverage EDRSilencer as part of their attack strategies. This highlights the ongoing trend of threat actors seeking more effective tools for their attacks, especially those designed to disable antivirus and EDR solutions.

The emergence of EDRSilencer as a means of evading endpoint detection and response systems marks a significant shift in the tactics employed by threat actors. By disabling critical security communications, it enhances the stealth of malicious activities, increasing the potential for successful ransomware attacks and operational disruptions. This is indicative of an evolving threat landscape that necessitates a proactive and adaptive security posture, combining multi-layered defenses and continuous monitoring to mitigate risks. Organizations must remain vigilant, employing advanced detection mechanisms and threat hunting strategies to counteract these sophisticated tools and protect their digital assets. As threat actors continue to innovate, Trend Micro persists in its commitment to enhancing security measures and sharing insights to safeguard against future attacks.

Security recommendations

Trend Micro products already detect this tool as malware. As an additional layer of protection, Behavior Monitoring (AEGIS) also flags this malware’s behavior and prevents its execution for Trend Micro products that have this advanced detection feature enabled.

We have also developed a suite of proactive detection strategies and solutions that security practitioners can apply to identify and neutralize this threat before it can be fully deployed and exploited by threat actors:

  • Implementing multi-layered security controls
    • Network segmentation – Isolate critical systems and sensitive data to limit lateral movement
    • Defense-in-depth – Use multiple layers of security controls (including firewalls, intrusion detection systems, antivirus, and EDR) to create redundancy.
  • Enhancing endpoint security
    • Behavioral analysis – Deploy security solutions that use behavioral analysis and anomaly detection to identify unusual activities that might bypass traditional EDR
    • Application whitelisting – Only allow approved applications to run, reducing the risk of malicious software execution.
  • Conducting continuous monitoring and threat hunting
    • Threat hunting – Proactively search for indicators of compromise (IoCs) and advanced persistent threats (APTs) within your network.
  • Implementing strong access controls
    • Principle of least privilege – Ensure users and applications have the minimum level of access necessary to perform their functions.

Trend Micro Vision One Threat Intelligence 

To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and be better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats.

Trend Micro Vision One Intelligence Reports App [IOC Sweeping]

EDRSilencer Compromising Endpoint Security Monitoring

Trend Micro Vision One Threat Insights App

Emerging Threats:EDRSilencer Compromising Endpoint Security Monitoring

Hunting Queries

Trend Micro Vision One Search App

Trend Micro Vision Once Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.   

Detecting potential incidents involving EDRSilencer

malName:*Win64.EDRSilencer* AND eventName:MALWARE_DETECTION

More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled.

Leave a Reply

Your email address will not be published. Required fields are marked *