Qilin Ransomware's EDR Killer Can Blind 300+ Security Tools — Talos Has the Technical Breakdown

CybrPulse

CybrPulse

3 min read
Qilin Ransomware's EDR Killer Can Blind 300+ Security Tools — Talos Has the Technical Breakdown

Cisco Talos published a deep-dive today on the EDR killer component embedded in Qilin ransomware attacks. It's the kind of analysis that should make every SOC team pause and double-check their detection assumptions.

The short version: a malicious DLL named `msimg32.dll` is being side-loaded during Qilin intrusions, and it's specifically engineered to disable your endpoint security before the ransomware payload runs. Over 300 EDR drivers across virtually every major vendor are in scope.

What the Malware Actually Does

This isn't a blunt tool. The `msimg32.dll` component runs a multi-stage infection chain designed with one goal — get the EDR out of the way before anything loud happens.

Stage 1: The PE Loader

The DLL acts as a PE loader first. It decrypts a secondary payload embedded within itself and loads it entirely in memory, never touching disk. Before it does that, it actively neutralizes the local EDR:

  • ETW suppression: Event Tracing for Windows events are killed at runtime. Your telemetry pipeline goes quiet.
  • User-mode hook removal: API hooks that EDR products rely on for behavioral monitoring are stripped out.
  • Control flow obfuscation: The loader uses Structured Exception Handling (SEH) and Vectored Exception Handling (VEH) tricks to obscure which API calls are being made. Detection engines that watch for suspicious call patterns get nothing useful.

Stage 2: The EDR Killer

Once the loader finishes its prep work, the decrypted EDR killer payload activates and loads two helper drivers:

  • `rwdrv.sys`: Provides direct access to physical memory. This is a legitimate signed driver being abused — a classic Bring Your Own Vulnerable Driver (BYOVD) technique.
  • `hlpdrv.sys`: The process termination driver. It handles actually killing EDR processes once the ground has been cleared.

Before `hlpdrv.sys` runs, the malware unregisters the kernel callback functions that EDRs use to monitor process creation, thread activity, and image loads. Without those callbacks, the EDR is effectively deaf even before its process is terminated. Code Integrity checks are then restored post-kill to keep the system looking normal.

The combined result: 300+ EDR drivers from across the market can be disabled. Talos notes this targets "almost every vendor."

Why This Matters for Defenders

The attack surface here is a critical one: the security tooling itself.

Most detection strategies assume the EDR stays online. It's what generates the alerts, logs the process tree, captures network connections. When an attacker can reliably kill the EDR before the main payload detonates, detection windows collapse. You're working from partial telemetry after the fact, if you have anything at all.

The BYOVD angle is particularly relevant. `rwdrv.sys` is a signed, legitimate driver — not flagged as malicious in itself. Organizations that rely on driver allowlists but haven't blocked this specific driver by hash are exposed.

One detail worth noting from Talos: the malware contains geo-fencing logic that causes it to crash on systems configured for certain post-Soviet country languages. This is a common operator protection pattern — keep the tool from running on systems where the developers might be investigated.

What to Check Now

If Qilin is relevant to your threat model (and given it's active ransomware infrastructure, it should be), a few things to verify:

  1. Look for `msimg32.dll` in unexpected locations. This DLL is legitimate in System32 — it becomes suspicious when it appears in application directories via side-loading.
  1. Check for `rwdrv.sys` on your endpoints. Block the hash if present. This driver has no business being on most enterprise systems.
  1. Audit kernel callback registrations. If EDR callbacks are being unregistered, you need visibility at the kernel level to catch that — not just user-mode telemetry.
  1. Test your EDR vendor's response. Ask them directly: does your product have any protection against BYOVD-based termination? What's your detection coverage when your own driver is targeted?
  1. Layer your defenses. Network-level telemetry, memory forensics, and endpoint isolation capabilities become your fallback when the EDR gets killed. If your security architecture has EDR as a single point of failure for detection, this campaign demonstrates why that's a gap.

The Bigger Pattern

Qilin isn't the only ransomware group investing in EDR killer tooling. This is becoming a standard pre-ransomware phase — neutralize defenses first, then deploy. Talos notes prior reporting on Qilin's broader activity, and this technical analysis fills in previously undocumented details on the infection chain mechanics.

The level of sophistication here — SEH/VEH obfuscation, in-memory execution, BYOVD, kernel callback manipulation — suggests a well-resourced group treating EDR evasion as a first-class engineering problem. The defenses need to evolve accordingly.

The full Talos analysis is at blog.talosintelligence.com/qilin-edr-killer.

Read more