New ‘BlackSanta’ EDR killer spotted targeting HR departments

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/

ONE SENTENCE SUMMARY:

A Russian-speaking actor spear-phished HR with ISO “resumes,” deploying stealthy loaders and BlackSanta to disable EDR using BYOD drivers.

MAIN POINTS:

1. Russian-speaking threat actor targeted HR departments for over a year with malware.
2. Initial access likely used spear-phishing emails directing victims to cloud-hosted ISO files.
3. Malicious ISOs impersonated resumes and were hosted on services like Dropbox.
4. ISO contained LNK masquerading as PDF, PowerShell script, image, and ICO file.
5. LNK executed PowerShell to extract steganographic payload from image into memory.
6. ZIP download included legitimate SumatraPDF plus malicious DWrite.dll for DLL sideloading.
7. Malware fingerprinted hosts, contacted C2, and evaded sandboxes, VMs, and debuggers.
8. Windows Defender was weakened, disk-write tests performed, and payloads ran via process hollowing.
9. BlackSanta EDR killer reduced alerts, altered Defender exclusions, and lowered telemetry/submission settings.
10. BYOD drivers RogueKiller and IObitUnlocker enabled kernel-level unlocking and termination of security processes.

TAKEAWAYS:

1. HR-focused lures exploiting resume workflows remain highly effective for initial compromise.
2. ISO/LNK plus PowerShell and steganography form a stealthy, memory-resident infection chain.
3. DLL sideloading with trusted executables helps attackers blend malicious code into legitimate processes.
4. EDR killers increasingly rely on kernel-level BYOD techniques to reliably disable defenses.
5. Strong opsec and resilient infrastructure can keep campaigns undetected even when C2 is intermittently unavailable.