Intel Node
Qilin EDR killer infection chain
This blog provides an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems.
Endpoint detection and response (EDR) tools are widely deployed and far more capable than traditional antivirus. As a result, attackers use EDR killers to disable or bypass them. Disabling telemetry collection (process, memory, network activity) limits what defenders can see and analyze. As defenders improve behavioral detection, attackers increasingly target the defense layer itself as part of their initial access or early execution stages. This blog provides an in-depth analysis of the malicious “msimg32. dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems.
It can terminate over 300 different EDR drivers from almost every vendor in the market. We present multiple techniques used by the malware to evade and ultimately disable EDR solutions, including SEH/VEH-based obfuscation, kernel object manipulation, and various API and system call bypass methods. This blog post provides an in-depth technical analysis of the malicious dynamic-link library (DLL) “msimg32. dll”, which Cisco Talos observed being deployed in Qilin ransomware attacks. The broader activities and attacks of Qilin was previously introduced and described in the blog post here .
This DLL represents the initial stage of a sophisticated, multi-stage infection chain designed to disable local endpoint detection and response (EDR) solutions present on compromised systems. Figure 1 shows a high-level diagram demonstrating the overall execution flow of this infection chain. Figure 1. Infection chain overview. The first stage consists of a PE loader responsible for preparing the execution environment for the EDR killer component. This secondary payload is embedded within the loader in an encrypted form. The loader implements advanced EDR evasion techniques.
It neutralizes user-mode hooks and suppresses Event Tracing for Windows (ETW) event generation at runtime by leveraging a -like approach.