The Qilin ransomware group has emerged with a complex infection strategy that leverages a malicious msimg32.dll to neutralize the protection of over 300 endpoint detection and response (EDR) drivers from leading cybersecurity vendors.
As reliance on EDR solutions grows, these systems offer enhanced behavioral insights compared to traditional antivirus software. Cybercriminals have responded by integrating EDR-disabling techniques into their attack plans, allowing them to deploy ransomware without detection.
Known under aliases such as Agenda, Gold Feather, and Water Galura, Qilin has reported over 40 victims monthly, placing it among the most active ransomware-as-a-service (RaaS) entities currently operating.
DLL Sideloading: A Stealthy Approach
Researchers from Cisco Talos have identified that Qilin initiates its attack through DLL sideloading. A trusted application, like FoxitPDFReader.exe, loads the rogue msimg32.dll instead of the legitimate Windows library.
This fraudulent DLL mimics normal operations by redirecting expected API calls to the legitimate msimg32.dll, while executing its harmful code from the DllMain function. The embedded encrypted payload, an EDR killer, undergoes three loading stages, executing entirely in memory to avoid leaving traces on disk.
Advanced Evasion Techniques
The loader incorporates several sophisticated evasion methods to bypass EDR detection. It uses Structured Exception Handling (SEH) and Vectored Exception Handling (VEH) to disguise API call patterns and covertly transition execution phases.
Additionally, the loader suppresses Event Tracing for Windows (ETW), depriving defenders of vital telemetry data. It bypasses hooked APIs using clean syscall stubs from ntdll.dll, without altering the hooked code, and manipulates kernel objects to redirect exception handling.
Anti-debugging strategies further enhance the malware’s stealth, including checks for breakpoints on KiUserExceptionDispatcher, which crash the process if detected. Geo-fencing techniques are also employed, halting the attack if the system locale aligns with specific post-Soviet regions.
Deploying the EDR Killer
Upon delivery, the EDR killer payload loads two kernel helper drivers. The first, rwdrv.sys, a renamed TechPowerUp LLC driver, facilitates direct kernel manipulation by exploiting its IOCTLs for memory and configuration access.
The second, hlpdrv.sys, targets protected EDR processes, terminating them with specific IOCTL codes, bypassing Windows protection mechanisms. This capability stems from its ability to write to physical memory, unregistering EDR monitoring callbacks at the kernel level.
By temporarily altering the CiValidateImageHeader callback, the malware disables Code Integrity checks during its operation, restoring the callback post-attack to minimize forensic evidence.
Cisco Talos emphasizes that while these methods are not entirely new, they are effective against inadequately configured defense systems. Organizations must remain vigilant for signs of DLL sideloading, unexpected driver deployments, and unauthorized physical memory access from user-mode applications.
For comprehensive cybersecurity coverage, follow us on Google News, LinkedIn, and X. Reach out to share your cybersecurity stories.
