The detection that fired blocked three attempts (in the space of seven minutes) to load files called fildds.sys, filnk.sys, and filwfp.sys onto a single customer’s network. /2

With Active Adversary on alert for that customer, we looked closer and noticed an attempt immediately prior to that to load Kaspersky’s TDSSKiller. That attempt was also blocked. /3

Grabbing a copy of the malware that delivered this suspicious driver, we’ve so far found that there’s functionality meant to kill PPL-protected processes, and it appears to have an EDR killer in there as well. /4

It’s yet another example of a well-known evolution. The bad guys used to try to evade protections, but that’s not working for them so well these days; now they’ve switched to full-on attempts to disable processes. /5

We see more and more attempts such as these by threat actors as they shift tactics, and we caution our industry colleagues to watch for attack attempts from this specific driver – not yet listed on http://loldrivers.io, at the time of this writing -- on their own software. /6

We’ll keep analyzing this malware and its latest abused drivers, and hope to have more to say about that soon. The attack was thwarted before the threat actors had a chance to drop an additional payload to interact with the dropped driver. /7

Through VirusTotal and hunting in our own systems, we discovered that the attackers likely tried to drop a variant of the malware with SHA256 41f77d6d23bba3b485c1c6f300655b2daf2d184de07f163afae7ea908e1833e2. /8

SHA256 hashes for the abused files are f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22 (fildds.sys), ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12 (filnk.sys) and 490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a (filwfp.sys). /9

As with most things with Sophos, this was a team effort – but credit to @hackingump1 for leading the charge. /end