SOC Prime Bias: High

07 Apr 2026 19:57
newspaper icon Cisco Talos Blog

Qilin EDR Killer Infection Chain

Author Photo
SOC Prime Team linkedin icon Follow
Qilin EDR Killer Infection Chain
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report covers a multi-stage loader delivered as a trojanized msimg32.dll that can disable or remove 300+ endpoint detection and response products. The loader combines advanced SEH/VEH abuse, kernel-driver techniques, and hardware breakpoints to evade user-mode hooks and kill security processes. The activity is linked to the Qilin ransomware ecosystem and ships with a custom driver derived from ThrottleStop tooling. The end result is a dedicated EDR-killer payload that terminates security services and can re-enable attacker control by restoring or neutralizing code-integrity callback logic.

Investigation

Researchers reverse-engineered the malicious DLL, its PE loader, and two helper drivers, rwdrv.sys and hlpdrv.sys. The analysis details how the loader builds a syscall slot-policy table, tampers with the exception dispatcher, and performs IAT hooking to redirect execution. It then uses vectored exception handling to stage and launch a shell32-based payload. The driver layer exposes raw physical memory access and is leveraged to remove or disable EDR-related kernel callbacks, as well as terminate protected processes via a custom IOCTL interface.

Mitigation

Use layered defenses and avoid dependence on a single EDR control. Monitor for abnormal driver-load activity, suspicious physical-memory IOCTL usage, and unexpected changes to kernel callback structures. Prevent DLL side-loading where attackers replace legitimate system libraries, and add coverage for hardware-breakpoint style evasion. Keep network and endpoint signatures current, including rulesets from tools such as ClamAV and Snort.

Response

If detected, isolate the endpoint, stop the malicious process, and unload any suspicious drivers. Capture full memory images for forensics, check explicitly for rwdrv.sys and hlpdrv.sys, and validate integrity of kernel callbacks and related security telemetry. Deploy updated detections for the msimg32.dll filename, driver load events, and the IOCTL 0x2222008 pattern. Complete a system integrity review and recover from known-good backups if trust in the host cannot be re-established.

"graph TB %% Class definitions classDef technique fill:#ffcc99 %% Node definitions tech_initial_appinit["<b>Technique</b> – <b>T1546.010 AppInit DLLs</b>: Sideu2011load malicious msimg32.dll<br/><b>Description</b>: Use the AppInit_DLLs registry value to cause a malicious DLL to be loaded into every useru2011mode process that loads User32.dll."] class tech_initial_appinit technique tech_obfuscation["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b>: Encrypted payload with SEH/VEH tricks<br/><b>Description</b>: Encrypt or otherwise hide malicious code and employ Structured Exception Handling or Vectored Exception Handling tricks to evade static analysis."] class tech_obfuscation technique tech_dll_injection["<b>Technique</b> – <b>T1055.001 DLL Injection</b>: IAT hook of ExitProcess<br/><b>Description</b>: Inject a malicious DLL into a target process and modify its Import Address Table to hijack ExitProcess calls."] class tech_dll_injection technique tech_hijack_flow["<b>Technique</b> – <b>T1574 Hijack Execution Flow</b>: VEH/SEH handlers and hardware breakpoints<br/><b>Description</b>: Replace or add exception handlers and set hardware breakpoints to redirect execution to malicious code."] class tech_hijack_flow technique tech_reflective_load["<b>Technique</b> – <b>T1620 Reflective Code Loading</b>: Inu2011memory PE decryption and execution<br/><b>Description</b>: Decrypt a Portable Executable in memory and execute it without writing to disk."] class tech_reflective_load technique tech_elev_control["<b>Technique</b> – <b>T1548 Abuse Elevation Control Mechanism</b>: Load rwdrv.sys driver for physical memory R/W<br/><b>Description</b>: Install a signed or vulnerable driver to obtain read/write access to physical memory."] class tech_elev_control technique tech_priv_esc["<b>Technique</b> – <b>T1068 Exploitation for Privilege Escalation</b>: Manipulate kernel objects and disable EDR callbacks<br/><b>Description</b>: Use the loaded driver to alter kernel structures and neutralize endpoint detection and response hooks."] class tech_priv_esc technique tech_persistence_appinit["<b>Technique</b> – <b>T1546.010 AppInit DLLs (Persistence)</b>: Maintain disabled EDR state<br/><b>Description</b>: Keep the malicious DLL registered via AppInit_DLLs to persist across reboots while EDR remains disabled."] class tech_persistence_appinit technique tech_sandbox_evasion["<b>Technique</b> – <b>T1497.002 Virtualization/Sandbox Evasion</b>: Locale check and breakpoint detection<br/><b>Description</b>: Detect analysis environments by checking system locale settings and probing for debugger breakpoints."] class tech_sandbox_evasion technique %% Connections showing attack flow tech_initial_appinit –>|leads_to| tech_obfuscation tech_obfuscation –>|leads_to| tech_dll_injection tech_dll_injection –>|leads_to| tech_hijack_flow tech_hijack_flow –>|leads_to| tech_reflective_load tech_reflective_load –>|leads_to| tech_elev_control tech_elev_control –>|leads_to| tech_priv_esc tech_priv_esc –>|leads_to| tech_persistence_appinit tech_persistence_appinit –>|leads_to| tech_sandbox_evasion "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    An attacker crafts a minimal native C binary that explicitly loads ntdll.dll and calls NtTraceEvent via its exported name. The binary is compiled on‑the‑target host using the Visual C++ Build Tools, then executed. Because the call is made through the regular Windows API surface, the process creation event records the image (ntdll.dll) and the CallTrace field contains the string “NtTraceEvent”, satisfying the Sigma condition. The attacker then deletes the binary to reduce forensic artifacts.

  • Regression Test Script:

    # ---------------------------------------------------------
# Step 1 – Create a temporary C source that calls NtTraceEvent
# ---------------------------------------------------------
$src = @"
#include <windows.h>
typedef NTSTATUS (NTAPI *pNtTraceEvent)(HANDLE, ULONG, PVOID, ULONG);
int main() {
    HMODULE hNtdll = LoadLibraryA("ntdll.dll");
    if (!hNtdll) return 1;
    pNtTraceEvent NtTraceEvent = (pNtTraceEvent)GetProcAddress(hNtdll, "NtTraceEvent");
    if (!NtTraceEvent) return 1;
    // Minimal call – arguments are largely ignored for this demo
    NtTraceEvent(NULL, 0, NULL, 0);
    return 0;
}
"@
$tmpPath = "$env:TEMPNtTraceDemo.c"
$exePath = "$env:TEMPNtTraceDemo.exe"
$src | Set-Content -Path $tmpPath -Encoding ASCII

# ---------------------------------------------------------
# Step 2 – Compile using cl.exe (assumes Visual C++ Build Tools installed)
# ---------------------------------------------------------
$vcVars = "$env:ProgramFiles(x86)Microsoft Visual Studio2019BuildToolsVCAuxiliaryBuildvcvars64.bat"
if (Test-Path $vcVars) {
    & cmd /c "`"$vcVars`" && cl /nologo /O2 /Fe:`"$exePath`" `"$tmpPath`""
} else {
    Write-Error "Visual C++ Build Tools not found. Install them before running this script."
    exit 1
}

# ---------------------------------------------------------
# Step 3 – Execute the binary (this should trigger the rule)
# ---------------------------------------------------------
& $exePath

# ---------------------------------------------------------
# Step 4 – Clean up artifacts
# ---------------------------------------------------------
Remove-Item -Force $tmpPath, $exePath

  • Cleanup Commands:

    # Ensure any leftover files are removed (run as admin)
Get-ChildItem "$env:TEMPNtTraceDemo.*" -ErrorAction SilentlyContinue | Remove-Item -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free