AuKill Malware Hunts & Kills EDR Processes

  /     /     /  
Publicated : 23/11/2024   Category : security


AuKill Malware Hunts & Kills EDR Processes


Attackers are using custom malware to exploit drivers and terminate security processes so they can deploy ransomware.



The AuKill cybercrime tool has emerged, which threat actors are using to disable endpoint detection and response (EDR) defenses used by enterprises before deploying ransomware. It makes use of malicious device drivers to infiltrate systems.
In two recent incidents, researchers from Sophos observed an adversary using AuKill prior to deploying Medusa Locker ransomware; another time, the security vendor discovered an attacker using the EDR killer on an already compromised system before installing the
 LockBit ransomware
.
Christopher Budd, senior manager of threat research at Sophos, says the trend is a response to the growing effectiveness of EDR tools. Threat actors are starting to recognize that EDR agents provide security vendors a significant advantage in spotting attacks, he says. Threat actors are targeting the tools causing them the most trouble.
The attacks are similar to a flurry of incidents that
Sophos, Microsoft, Mandiant, and SentinelOne
reported in December, where threat actors used custom-built drivers to disable security products on already compromised systems, leaving them open to other exploits.
In those attacks, threat actors used malicious drivers that they tricked Microsoft into digitally signing, therefore making them appear legitimate. In other driver attacks, threat actors have exploited a vulnerability in a legitimate device driver to execute ransomware, escalate privileges, and bypass security controls. Some security vendors and researchers commonly refer to the technique as a bring your own vulnerable driver or BYOVD attack.
Aukill itself is a tool that falls into the BYVOD category. It takes advantage of a
legitimate but outdated and exploitable
version of a driver that Microsofts Process Explorer 16.32 uses, to disable EDR processes.
The vulnerable Process Explorer driver that AuKill leverages — like other drivers — has privileged access on installed systems and can interact with and terminate running processes.
Its a free tool that allows users to get detailed information on all running processes on a system, their executable paths, performance metrics, and other information. It offers multiple features for monitoring real-time system activity, prioritizing processes and identity, terminating processes, and executing other functions.
Budd says that in the recent ransomware attacks that Sophos observed, the threat actor injected the tool into systems on which they had already gained access. Once on a system, AuKill drops a driver named PROCEXP.SYS from release version 16.32 of Process Explorer into the same location as the legitimate version of the Process Explorer driver (PROCEXP152.sys).
The [legitimate] Process Explorer driver v.16.32 does not limit its functionality to working with the main Process Explorer executable, Budd says. So other programs may send API calls to the driver to take advantage of its functionality. In AuKills case, the tool abuses the legitimate driver to execute instructions to shut down EDR and other security controls on the compromised computer. They leverage the existing functionality in the Process Explorer driver that permits Process Explorer to terminate running programs, he says.
Sophos has so far analyzed six different versions of AuKill and noticed some substantial changes with each new version. Newer versions, for instance, now target more EDR processes and services for termination. They also include a feature that continuously probes EDR processes and services to ensure that terminated processes remain that way through restart attempts. The malware authors have also added features to make AuKill more robust by having AuKill run multiple threads at once to protect itself from being terminated in response, Budd says.
Sophos analysis of AuKill showed it to contain similarities in code with
BackStab
, an open source tool that surfaced in June 2021 that also abused the Process Explorer driver to kill EDR tools. The companys researchers spotted a LockBit actor using BackStab to disable EDR on systems as recently as last November.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
AuKill Malware Hunts & Kills EDR Processes