Do Son 
Infection chain overview | Image: Cisco Talos
A technical deep-dive from Cisco Talos has exposed a sophisticated “EDR killer” deployed during Qilin ransomware attacks, revealing a multi-stage infection chain specifically engineered to blind, disable, and dismantle modern security software.
Modern Endpoint Detection and Response (EDR) tools are significantly more capable than traditional antivirus, providing deep visibility into memory, network activity, and process behavior. To counter this, advanced adversaries have shifted their focus. As the Talos report highlights:
“As defenders improve behavioral detection, attackers increasingly target the defense layer itself as part of their initial access or early execution stages”.
The weapon of choice in these attacks is a malicious library named “msimg32.dll.” Far from a simple script, this DLL serves as the vanguard for a campaign that can “terminate over 300 different EDR drivers from almost every vendor in the market”.
The malware employs an array of techniques to remain undetected while it prepares its primary assault. Researchers observed the use of SEH/VEH-based obfuscation, kernel object manipulation, and direct system call bypasses to circumvent security hooks.
One of the most complex maneuvers involves the malware’s interaction with the Windows kernel. The “msimg32.dll” payload doesn’t just attack the EDR’s user-mode components; it reaches into the heart of the operating system to manipulate function pointers.
The infection follows a meticulously planned sequence:
- Initial Deployment: The malicious DLL is sideloaded or dropped onto the compromised system during the early stages of a Qilin ransomware attack.
- Telemetry Suppression: It immediately moves to “disable or bypass” EDR tools by “disabling telemetry collection,” effectively cutting off the data flow that defenders use to analyze threats.
- Kernel Manipulation: The malware locates and overwrites critical callbacks, such as the
CiValidateImageHeaderfunction, with its own code to bypass code integrity checks. - Restoration and Stealth: In a final display of sophistication, after the malicious tasks are complete, the malware “restores the original function pointer,” leaving the system looking ostensibly normal to a casual observer.
The analysis of this “msimg32.dll” chain serves as a stark reminder that even the most advanced single-product defenses have limits. As the Talos team concludes:
“It is encouraging to see how many hurdles modern malware must overcome. At the same time, this highlights that even state-of-the-art defense mechanisms can still be bypassed by determined adversaries”.
To counter such high-level threats, security experts emphasize that “defenders should never rely on a single product for protection”. Instead, a multi-layered security approach is essential. By stacking different types of detection and prevention—from network monitoring to identity protection—organizations can significantly increase the difficulty for even the most determined “EDR killers” to remain undetected.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
