The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes Malware
Key Facts
- It allows The Gentlemen operators to integrate abused drivers into their toolset very soon after an EDR killer PoC is disclosed." The third-party, BYOVD-based EDR killers employed by the group are below - - HexKiller ("googleApiUtil64.sys"), a tool previously assumed to be exclusive to the Warlock ransomware gang - ThrottleBlood ("ThrottleBlood.sys"), a tool observed in attacks mounted by MedusaLocker and DragonForce affiliates - HavocKiller or HwAudKiller ("havoc.sys") ESET said it also detected a Rust-based credential stealer codenamed OxideHarvest (aka buildx641) that's capable of harvesting data from popular web browsers, including Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat.
- "These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons." The Slovakian cybersecurity company also called out the ransomware crew for its ability to "unusually quickly operationalize" newly disclosed proof-of-concept (PoC) exploits related to an attack technique called the bring your own vulnerable driver (BYOVD) technique, in many cases within days of their public release.
- The list of drivers exploited by each of the variants is as follows - - Kaspersky ("eb.sys") - FACEIT Anti-Cheat ("nseckrnl.sys") - Valorant ("GameDriverX64.sys") - Javelin ("stpm_old.sys" or "stpm_new.sys") - WatchDog ("dmx.sys") - Network Blocker ("360netmon_wfp.sys") - Cleaner ("IMFForceDelete.sys") - G11 ("PoisonX.sys") It's worth noting that the abuse of "PoisonX.sys" has been recorded in recent months in connection with various BYOVD attacks, one of which was used to kill CrowdStrike Falcon EDR.
- "If a target system trusts the affected vendor's certificate, an attacker [with administrative privileges or physical access] can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes," CERT/CC said.
- "To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process."
- "They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller," ESET security researcher Jakub Souček said in a report shared with The Hacker News.
- ESET researcher Martin Smolár has been credited with researching and reporting the vulnerability.
- A second campaign, detailed by Huntress, involved an intrusion in which unknown threat actors leveraged BeyondTrust Remote Support to successfully deploy ransomware on the network, but not before terminating security tooling via "PoisonX.sys" and "hrwfpdrv.sys." "When abstracting away the impersonation layer and the specific drivers used, the underlying code reveals numerous structural and behavioral commonalities that strongly suggest the use of a shared development template," Souček said.
- "While most ransomware gangs continue to delegate EDR killing to affiliates, Gentlemen has chosen to centralize this function by offering affiliates a ready-to-use, standardized EDR-killer suite," ESET said.
- "This decision makes Gentlemen an attractive operator for affiliates as it materially lowers the entry barrier for them, making their job consequently easier." The disclosure comes as the CERT Coordination Center (CERT/CC) issued an advisory about multiple vendor-signed UEFI applications being vulnerable to Secure Boot bypass via a BYOVD attack.
It allows The Gentlemen operators to integrate abused drivers into their toolset very soon after an EDR killer PoC is disclosed.” The third-party, BYOVD-based EDR killers employed by the group are below - - HexKiller (“googleApiUtil64.sys”), a tool previously assumed to be exclusive to the Warlock ransomware gang - ThrottleBlood (“ThrottleBlood.sys”), a tool observed in attacks mounted by MedusaLocker and DragonForce affiliates - HavocKiller or HwAudKiller (“havoc.sys”) ESET said it also detected a Rust-based credential stealer codenamed OxideHarvest (aka buildx641) that’s capable of harvesting data from popular web browsers, including Google Chrome, Microsoft Edge, Torch, Comodo, Epic Privacy Browser, Vivaldi, Brave, Opera, OperaGX, Mozilla Firefox, Waterfox, BlackHawk, and IceCat. “These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons.” The Slovakian cybersecurity company also called out the ransomware crew for its ability to “unusually quickly operationalize” newly disclosed proof-of-concept (PoC) exploits related to an attack technique called the bring your own vulnerable driver (BYOVD) technique, in many cases within days of their public release.
The Campaign
The list of drivers exploited by each of the variants is as follows - - Kaspersky (“eb.sys”) - FACEIT Anti-Cheat (“nseckrnl.sys”) - Valorant (“GameDriverX64.sys”) - Javelin (“stpm_old.sys” or “stpm_new.sys”) - WatchDog (“dmx.sys”) - Network Blocker (“360netmon_wfp.sys”) - Cleaner (“IMFForceDelete.sys”) - G11 (“PoisonX.sys”) It’s worth noting that the abuse of “PoisonX.sys” has been recorded in recent months in connection with various BYOVD attacks, one of which was used to kill CrowdStrike Falcon EDR.
Further details indicate that “If a target system trusts the affected vendor’s certificate, an attacker [with administrative privileges or physical access] can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes,” CERT/CC said.
“To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process.”
“They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller,” ESET security researcher Jakub Souček said in a report shared with The Hacker News.
“They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller,”, Spokesperson
Impact
& Targeting
The most prevalent of them is GentleKiller, which comes in eight different variants, each mimicking a different legitimate product and abusing a different vulnerable or malicious driver as part of the BYOVD attack. The impacted applications are from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill. “If a target system trusts the affected vendor’s certificate, an attacker [with administrative privileges or physical access] can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes,” CERT/CC said.
Analysis
Organizations should review their exposure and apply available mitigations promptly.
Defenders should immediately review endpoint detection and response telemetry for any signs of the described malware family or associated behaviors. Network traffic analysis can reveal command-and-control communications, data exfiltration patterns, or lateral movement that might otherwise go unnoticed. Organizations are advised to update their threat intelligence feeds and ensure that endpoint protection platforms, email gateways, and intrusion prevention systems have the latest detection signatures. Incident response playbooks should be reviewed to confirm they cover malware of this type, including isolation procedures, forensic collection steps, and communication protocols. Security awareness training may also need refreshes if the malware leverages social engineering as an initial access vector.
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes Malware
This rapid adoption distinguishes Gentlemen from most other RaaS operators, who typically wait weeks or months before adapting publicly released exploits...
Malware & RansomwareVirus vs Worm: Why the Propagation Difference Actually Matters Malware
But no detection tool replaces patching: the vulnerability that WannaCry used had a patch available for eight weeks before the attack. In 1988, the Morris...
Malware & RansomwarePortugal Q3 2021 Threat Report: Key Malware Stats
Segurança-Informática developed and maintains the Portuguese Abuse Open Feed 0xSI f33d, an open sharing database with the potential to collect indicators from numerous sources. This feed is provide...
Application SecurityOn-Premises API Security on Kubernetes: What It Actually Looks Like in Practice App Security
PCI DSS 4.0.1 now requires continuous API security testing and maintained API inventories. (These PCI DSS 4.0.1 requirements became mandatory on March 31...