Detection and Blocking of GMER Tool as Hacktool.GMER
search cancel

Detection and Blocking of GMER Tool as Hacktool.GMER

book

Article ID: 417498

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard Carbon Black Cloud Enterprise EDR Carbon Black App Control Endpoint Protection Endpoint Security Endpoint Security Complete

Issue/Introduction

The GMER tool is an anti-rootkit utility designed to detect and remove hidden processes, services, files, and registry keys associated with rootkits. However, recent threat intelligence indicates that multiple ransomware operators are abusing GMER to disable security products before deploying ransomware or performing data exfiltration.

Threat Overview

Observed Abuse

Attackers have been leveraging the GMER tool to terminate security product services and processes prior to launching payloads. Various threat actors have been confirmed to use GMER in their ransomware campaigns, including 

  • Qilin
  • Hunters International
  • Phobos
  • Enmity
  • Play

Threat research teams at Broadcom have observed multiple pre-ransomware activities involving GMER where it was used to neutralize defences, thereby enabling:

  • Ransomware deployment
  • Data exfiltration
  • Secondary malware deployment

Current Status

  • Both GMER dropper and driver currently have good reputations, which allows them to execute due to reputation-based trust.
  • Despite its benign reputation, GMER is actively used by attackers to disable protection layers.

Action Plan:

  1. Blocking Implementation
    1. GMER will be blocked statically using the VID/sig/signature: Hacktool.GMER
    2. Reputation-based changes and SDS blocking will extend protection to CB (Carbon Black) customers as well.
  2. Customer Communication
    1. GMER will be blocked statically using the VID/sig/signature: Hacktool.GMER
    2. Reputation-based changes and SDS blocking will extend protection to CB (Carbon Black) customers as well.

Resolution

If you wish to use the GMER tool (gmer.exe), add one of the following exclusions for the respective products:- 

  • Hash-based exclusion 
  • VID (Hacktool.GMER) exclusion 

Reference Articles:-
For Symantec Endpoint Security (SES) - Adding Allow List policy scan exceptions
For Symantec Endpoint Protection (SEP) - Configuring Exceptions policies in Endpoint Protection Manager
For Carbon Black Cloud (CBC) - Setting up Exclusions in the Carbon Black Cloud Console for AV Products
For Carbon Black EDR (CB EDR) - Create Exclusions

Powered by Wolken Software