RealBlindingEDR Tool That Permanently Turns Off AV/EDR Using Kernel Callbacks

Source: Cyber Security News

Author: Guru Baran

URL: https://cybersecuritynews.com/realblindingedr-tool/

RealBlindingEDR Tool That Permanently Turns Off AV/EDR Using Kernel Callbacks

ONE SENTENCE SUMMARY:

RealBlindingEDR is an open-source tool used to disable antivirus and endpoint detection software by manipulating kernel callbacks.

MAIN POINTS:

1. RealBlindingEDR blinds, disables, or terminates AV/EDR by clearing kernel callbacks.
2. Released on GitHub in 2023, it uses signed drivers for memory operations.
3. It exploits vulnerable drivers to gain kernel-level access without detection.
4. The tool targets six major kernel callback types to bypass security.
5. Ransomware groups like Crypto24 have used it in recent attacks.
6. Compatible with Windows 7 to 11 and various servers, ensuring wide applicability.
7. Demonstrated against 360 Security Guard, Tencent, Kaspersky, Windows Defender, and more.
8. Blinding mode prevents monitoring of behaviors like malware drops.
9. Requires a signed driver and admin rights for deployment.
10. Organizations are advised to monitor vulnerable driver loads and kernel anomalies.

TAKEAWAYS:

1. RealBlindingEDR poses significant risks despite being designed for research purposes.
2. Microsoft and vendors recommend driver signature enforcement to mitigate threats.
3. Security teams must review endpoint logs for unusual sys file access.
4. Advanced EDR with behavioral analytics can help detect anomalies.
5. Awareness and monitoring are crucial to counteract this evolving threat.