Russian-Speaking Actor Uses BlackSanta EDR Killer Against HR Teams
- [01] Immediate impact: Russian-speaking actors are targeting HR departments to disable security protections and gain initial access to corporate networks.
- [02] Affected systems: Windows systems running outdated drivers are vulnerable to the BYOVD techniques employed by the BlackSanta malware.
- [03] Remediation: Defenders must implement Microsoft's vulnerable driver blocklist and monitor for unauthorized kernel driver installation attempts.
The BlackSanta campaign represents a sophisticated shift in how niche threat actors bypass EDR solutions. According to Bleeping Computer, this Russian-speaking entity has focused specifically on human resource departments, leveraging the high volume of external attachments processed by these teams to gain a foothold. This campaign has been active for over a year, demonstrating a sustained interest in compromising administrative-heavy targets.
How to detect BlackSanta EDR killer in HR environments
The primary TTP used by this actor involves the deployment of a specialized tool internally dubbed “BlackSanta.” This malware is designed specifically as an “EDR killer,” a category of utility that disables or terminates security monitoring processes to allow subsequent payloads—often Ransomware or data exfiltration tools—to run undetected.
The technical core of the attack relies on the “Bring Your Own Vulnerable Driver” (BYOVD) technique. In this scenario, the attacker gains administrative Privilege Escalation and then installs a legitimate but vulnerable kernel-mode driver. Because the driver is digitally signed by a trusted vendor, the operating system permits its execution. The BlackSanta malware then exploits a known vulnerability within that driver to execute code with kernel-level privileges, which it uses to forcibly terminate the protected processes of security software.
BYOVD attack mitigation for HR departments
The focus on HR departments is a calculated choice. HR personnel frequently interact with unknown external parties and open documents from unverified sources, such as resumes and certifications. This makes them ideal targets for Phishing campaigns that use malicious archives or links to deliver the initial dropper. Once the initial system is compromised, the actor uses BlackSanta to blind the SOC. Without the telemetry provided by security tools, the attacker can proceed with Lateral Movement across the network, seeking higher-value targets such as domain controllers or financial databases.
To defend against the Russian-speaking threat actor BlackSanta analysis suggests several layers of protection:
- Driver Blocklisting: Organizations should enable the Microsoft Vulnerable Driver Blocklist. This feature, part of Windows Defender Application Control, prevents the loading of drivers known to be exploited in BYOVD attacks.
- Kernel-Mode Monitoring: Configure SIEM rules to alert on any new driver registrations (Event ID 7045) or the loading of drivers from unexpected paths, such as user profile directories.
- Endpoint Hardening: Implement Zero Trust principles by ensuring HR staff do not operate with local administrative rights. BYOVD attacks typically require administrative permissions to load the malicious driver initially.
- Credential Protection: Since the goal often involves moving beyond the HR workstation, enabling LSA Protection can help prevent the harvesting of credentials from memory after the security tools have been disabled.
By focusing on the hardware-software interface—the kernel—BlackSanta effectively bypasses many user-mode protections. Security teams should prioritize blocking the unauthorized installation of kernel drivers as a primary defense against this and similar EDR-killing tools.
Advertisement