Qilin Ransomware Deploys Advanced ‘msimg32.dll’ Attack to Disable 300+ EDR Systems Using Stealth Kernel-Level Techniques

CyberDefender 10 mins0

The evolution of ransomware has taken a sharp turn toward sophistication, with modern threat actors focusing not just on encryption but on completely neutralizing security defenses before executing their payloads. A recent campaign analyzed by Cisco Talos highlights how the Qilin ransomware leverages a malicious DLL, msimg32.dll, to dismantle endpoint detection and response (EDR) systems at scale.

This blog explores the intricate, multi-stage infection chain implemented by this DLL, uncovering advanced evasion, stealth execution, and kernel-level manipulation techniques.

Full Infection Chain, Source : cisco

Initial Access and DLL Side-Loading

The attack begins with DLL side-loading, where a legitimate application unknowingly loads a malicious version of msimg32.dll. To avoid suspicion, the malware forwards legitimate API calls to the original DLL located in C:\Windows\System32, ensuring normal functionality continues.

The real payload is triggered within the DllMain function—executed immediately upon loading—making detection significantly harder.

Stage 1: The Stealth Loader

The first stage acts as a highly obfuscated PE loader, responsible for preparing execution of the embedded EDR killer payload.

One of its most notable features is the creation of a slot-policy table, which maps syscall stubs inside ntdll.dll. Instead of modifying system code directly, the malware classifies syscall regions and selectively applies execution policies.

This enables:

  • Indirect syscall invocation
  • Bypassing user-mode API hooks
  • Avoiding traditional EDR monitoring

The loader also modifies the .mrdata section of ntdll.dll using a dynamically resolved LdrProtectMrdata function. This allows it to overwrite exception handlers and hijack execution flow.

Exception-Based Evasion (SEH & VEH)

To further evade detection, the malware uses:

  • Structured Exception Handling (SEH)
  • Vectored Exception Handling (VEH)

These mechanisms obscure execution flow and hide API usage patterns.

A particularly clever technique involves:

  • Triggering exceptions intentionally
  • Redirecting execution through custom handlers
  • Reconstructing syscalls using nearby clean stubs

This allows the malware to execute syscalls without triggering EDR hooks—since the kernel only validates syscall IDs, not their origin.

Anti-Debugging and Geo-Fencing

The loader includes several defensive measures:

  • Detects breakpoints on KiUserExceptionDispatcher and crashes intentionally
  • Avoids execution on systems using post-Soviet language settings
  • Uses hash-based API resolution to avoid static detection

These features indicate a targeted campaign and a strong focus on anti-analysis.

Stage 2 & 3: Memory Execution and Payload Deployment

The second stage acts as a transition layer, decoding memory and hooking the Import Address Table (IAT). Specifically, it replaces the ExitProcess function pointer, ensuring that the final payload executes during process termination.

Stage 3 then:

  • Decompresses an embedded PE file
  • Maps it into memory by overwriting shell32.dll
  • Applies relocations manually
  • Uses VEH and hardware breakpoints to control execution flow

This multi-layered approach ensures the payload never touches disk in a detectable way.

Stage 4: The EDR Killer

The final payload is a powerful EDR killer module capable of disabling over 300 security drivers.

Driver Abuse

Two drivers are deployed:

  • rwdrv.sys – Provides raw physical memory access
  • hlpdrv.sys – Terminates protected processes

Notably, rwdrv.sys is a repurposed legitimate driver (ThrottleStop), abused for:

  • Reading/writing physical memory
  • Accessing CPU registers (MSR)
  • Mapping arbitrary memory regions

This allows the malware to operate at a near-kernel level without exploiting vulnerabilities.

Kernel Manipulation Techniques

The malware:

  • Enumerates physical memory pages using NtQuerySystemInformation
  • Builds metadata structures for memory targeting
  • Locates EDR callbacks in kernel memory
  • Overwrites or unregisters them directly

This effectively blinds EDR systems by removing visibility into:

  • Process creation
  • Thread activity
  • Image loading

Additionally, it restores the CiValidateImageHeader callback after bypassing it—suggesting a temporary evasion strategy to avoid detection.

Process Termination via Kernel Driver

Using hlpdrv.sys, the malware sends IOCTL requests to:

  • Remove process protections
  • Terminate EDR-related processes

Once executed, even built-in defenses like Windows Defender are rendered ineffective.

Indicators of Compromise (IOCs)

The following artifacts are associated with this campaign:

msimg32.dll
MD5: 89ee7235906f7d12737679860264feaf
SHA1: 01d00d3dd8bc8fd92dae9e04d0f076cb3158dc9c
SHA256: 7787da25451f5538766240f4a8a2846d0a589c59391e15f188aa077e8b888497
rwdrv.sys
MD5: 6bc8e3505d9f51368ddf323acb6abc49
SHA1: 82ed942a52cdcf120a8919730e00ba37619661a3
SHA256: 16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0
hlpdrv.sys
MD5: cf7cad39407d8cd93135be42b6bd258f
SHA1: ce1b9909cef820e5281618a7a0099a27a70643dc
SHA256: bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56
EDRKiller.exe
MD5: 1305e8b0f9c459d5ed85e7e474fbebb1
SHA1: 84e2d2084fe08262c2c378a377963a1482b35ac5
SHA256: 12fcde06ddadf1b48a61b12596e6286316fd33e850687fe4153dfd9383f0a4a0

Final Thoughts

This attack chain demonstrates a highly mature threat model where attackers no longer rely on simple obfuscation but instead engineer full-fledged frameworks to dismantle security controls.

The use of:

  • Exception-driven execution
  • Kernel memory manipulation
  • Legitimate driver abuse

…makes this campaign particularly dangerous and difficult to detect using traditional defenses.

Our Opinion on This Case

What stands out most in this campaign is not just the technical sophistication, but the strategic mindset behind it. The attackers are clearly designing their malware with a deep understanding of how modern EDR solutions function internally. Rather than trying to evade detection passively, they actively dismantle the very mechanisms that defenders rely on.

The use of legitimate drivers like ThrottleStop is especially concerning. It reflects a growing trend where attackers exploit trusted components instead of introducing obviously malicious artifacts. This blurs the line between benign and malicious behavior, making detection far more challenging.

Another critical observation is the layered design of the infection chain. Each stage has a single responsibility—loading, evasion, execution, or destruction—which makes the system modular and reusable. This suggests that the loader itself could be repurposed for other payloads beyond ransomware.

From a defensive standpoint, this case reinforces the importance of a multi-layered security strategy. Relying solely on endpoint protection is no longer sufficient. Organizations must incorporate behavioral analysis, memory forensics, and kernel integrity monitoring to stand a chance against such threats.

Ultimately, this campaign is a reminder that cybersecurity is an evolving battlefield—and defenders must continuously adapt to stay ahead.

CyberDefender