Full Report
This blog provides an in-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems.
Analysis Summary
# Tool/Technique: Qilin EDR Killer (msimg32.dll / Shanya Loader)
## Overview
This tool is a sophisticated, multi-stage infection chain used by the Qilin ransomware group to neutralize Endpoint Detection and Response (EDR) solutions. It functions by side-loading a malicious DLL that subsequently deploys an "EDR Killer" payload capable of terminating over 300 different security-related drivers and processes by leveraging kernel-level vulnerabilities and advanced obfuscation.
## Technical Details
- **Type:** Malware (EDR Killer / PE Loader)
- **Platform:** Windows (x64)
- **Capabilities:** EDR termination, kernel callback removal, ETW suppression, API hooking neutralization, and DLL side-loading.
- **First Seen:** Approximately June 2025 (based on compile timestamps); Analysis published April 2026.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- **T1574.002 - Hijack Execution Flow: DLL Side-Loading** (Using `msimg32.dll`)
- **T1562.001 - Impair Defenses: Disable or Modify Tools** (Terminating EDR processes/drivers)
- **T1055 - Process Injection** (Memory-only execution of the killer payload)
- **T1140 - Deceptive File Names** (Naming malicious files after system drivers/DLLs)
- **T1106 - Native API** (Use of direct syscalls to bypass hooks)
- **T1562.006 - Impair Defenses: Indicator Blocking** (Suppressing ETW)
## Functionality
### Core Capabilities
- **DLL Side-loading:** Exploits legitimate applications to load a malicious `msimg32.dll` which forwards valid exports to the real library while executing malicious code in `DllMain`.
- **EDR Termination:** Targets and terminates over 300 distinct EDR drivers and processes.
- **Hook Neutralization:** Identifies and neutralizes user-mode hooks in `ntdll.dll` to prevent security tools from monitoring API calls.
- **ETW Suppression:** Leverages a "Ghost-in-the-Logs" style approach to disable Event Tracing for Windows, blinding defenders to process and network activity.
### Advanced Features
- **Kernel Manipulation:** Loads a helper driver (`rwdrv.sys`) to gain physical memory access and unregisters kernel callbacks established by EDRs.
- **Obfuscation:** Uses Structured Exception Handling (SEH) and Vectored Exception Handling (VEH) to hide the control flow and prevent static/dynamic analysis of API invocation.
- **Memory-Only Execution:** The secondary EDR killer payload is decrypted and executed entirely in memory to avoid disk-based detection.
## Indicators of Compromise
### File Hashes (SHA256)
- **msimg32.dll:** `7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497`
- **rwdrv.sys:** `16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0`
- **hlpdrv.sys:** `99325e2ee68a1c22d39bd508e6d216e06177817be325b131848a23ca786a2c54`
- **EDRKiller.exe (Dump):** `12fcde06ddadf1b48a61b12596e6286316fd33e850687fe4153dfd9383f0a4a0`
### File Names
- `msimg32.dll`
- `rwdrv.sys`
- `hlpdrv.sys`
### Behavioral Indicators
- Loading of unsigned or known vulnerable drivers (Bring Your Own Vulnerable Driver - BYOVD).
- Unexpected termination of security-related processes (e.g., `MsSense.exe`, `CylanceSvc.exe`).
- High volume of SEH/VEH exceptions within a single process.
- Legitimate applications loading `msimg32.dll` from non-standard directories.
## Associated Threat Actors
- **Qilin (Ransomware-as-a-Service group)**
## Detection Methods
- **Signature-based:** ClamAV signatures `Win.Malware.Bumblebee-10056548-0` and `Win.Tool.EdrKiller-10059833-0`.
- **Behavioral:** Monitor for `NtTraceEvent` and `NtTraceControl` suppression and attempts to unregister system callbacks.
- **Network:** Snort SIDs `1:66181`, `1:66180`, and `1:301456`.
## Mitigation Strategies
- **Driver Blocklisting:** Enable Microsoft’s vulnerable driver blocklist to prevent `rwdrv.sys` or similar drivers from loading.
- **DLL Security:** Enable "Safe DLL Search Mode" and use "AppLocker" or "Windows Defender Application Control (WDAC)" to restrict DLL loading to trusted paths.
- **Least Privilege:** Restrict administrative privileges to prevent the loading of malicious kernel-mode drivers.
- **Multi-layered Defense:** Do not rely solely on EDR; implement network-level monitoring and immutable backups.
## Related Tools/Techniques
- **Shanya:** The name attributed by Sophos to the loader component.
- **BYOVD (Bring Your Own Vulnerable Driver):** A general technique used by this tool to gain kernel access.
- **Bumblebee:** Loader often associated with initial access for ransomware groups.