In a technical analysis by Aryaka, researchers found a Russian speaking threat actor targeted human resources departments for more than a year with malware that delivers a new EDR killer named BlackSanta.
KEY FACTS
- Incident campaign ran for more than a year against HR departments
- Malware BlackSanta EDR killer delivered via ISO image with PowerShell and DLL sideloading
- Capabilities terminates security processes and adds Defender exclusions
- Drivers operation used RogueKiller and IObitUnlocker drivers for kernel access
The attack chain appears to use spear phishing to direct targets to download ISO images hosted on cloud storage. One analyzed ISO contained a Windows shortcut disguised as a PDF, a PowerShell script, an image with hidden data, and an .ICO file. The shortcut launches PowerShell which extracts code hidden in the image and executes it in memory.
The payload downloads a ZIP archive that includes a legitimate SumatraPDF executable and a malicious DWrite.dll. The operation uses DLL sideloading to load the malicious DLL. The malware performs system fingerprinting, extensive environment checks to avoid sandboxes and debuggers, modifies Windows Defender settings, runs disk write tests, and executes additional payloads via process hollowing inside legitimate processes.
A delivered component named BlackSanta adds Defender exclusions for .dls and .sys files, changes a Registry value to reduce telemetry and automatic sample submission, and suppresses Windows notifications. Its core function is to terminate security processes by enumerating running processes, comparing names against a large hardcoded list, retrieving matching process IDs, and using loaded drivers to unlock and terminate those processes at the kernel level.
Bring Your Own Driver components observed include RogueKiller Antirootkit driver v3.1.0 and IObitUnlocker.sys v1.2.0.1 to gain elevated privileges and bypass file and process locks. The command and control server was unavailable during examination so the final payload could not be retrieved. Multiple IP addresses and additional infrastructure indicate the operation ran unnoticed for over a year.
WHY IT MATTERS
BlackSanta’s ability to disable endpoint protections and use kernel level drivers increases the risk that HR systems will be compromised and sensitive personnel data exposed.