Security End-Run: AuKill Shuts Down Windows-Reliant EDR Processes

  /     /     /  
Publicated : 23/11/2024   Category : security


Security End-Run: AuKill Shuts Down Windows-Reliant EDR Processes


Russian threat actor FIN7 has shifted gears multiple times in recent years, focusing now on helping ransomware groups be even more covertly effective.



A widespread cybercrime tool designed to tamper with security solutions has been upgraded, with a new method for killing the protected Windows processes that endpoint detection and response (EDR) tools rely on.
AuKill, developed by the notorious
FIN7 cybercrime collective
(aka Carbanak, Carbon Spider, Cobalt Group, Navigator Group), is a program specifically designed to
undermine endpoint security
. It employs more than 10 different user and kernel mode techniques to that end, like sandboxing protected processes and leveraging fundamental Windows APIs like Restart Manager and Service Control Manager.
A new report from SentinelOne describes how AuKill is becoming increasingly popular among cybercrime actors, particularly high-level ransomware groups. And to keep it one step ahead of defenders, FIN7 has iterated on it with a new technique for throwing certain protected processes into a denial-of-service (DoS) condition.
FIN7, a largely Russian-Ukrainian operation, was carrying out financially motivated cyber campaigns across industries as far back as 2012. At the time, its specialty was point-of-sale (PoS) malware,
then a trend
.
As cybercrime moved from credit card theft to ransomware, FIN7 moved with it. It launched its own ransomware-as-a-service (RaaS) projects: first Darkside and then, after its
run-ins with Uncle Sam
, BlackMatter. It also began to affiliate with other major ransomware groups, like the leading Conti and REvil.
In April 2022, FIN7 began development on the anti-security tool now known as AuKill. Using various pseudonyms, it began to market the program on cybercrime forums for prices ranging from $4,000 to $15,000.
The first actor known to use it in the wild was Black Basta, in June 2022. Around the turn of 2023, threat actors across the ransomware spectrum began to follow suit. SentinelOne has observed it in attacks alongside payloads like AvosLocker, BlackCat, and LockBit, for example. 
Whenever a new malware tool begins to attract attention, it risks losing its initial effectiveness as defenders start to adjust. To keep it going, then, authors need to modify and build out new features.
AuKills new feature targets the protected processes run by EDR solutions. Its weapons: the default time-travel debugging (TTD) monitor Windows driver — used for monitoring TTD processes — in tandem with an
updated version
of the Process Explorer driver.
In short, the malware uses the former driver to watch for protected Windows processes it wants to attack and, if they pop up, suspends them. When the protected process then tries to spin up non-protected helper (child) processes, the latter driver blocks those. With the drivers blocking parent and child, a crash ensues.
Organizations should ensure that anti-tampering protection mechanisms are enabled in their security solutions deployed on enterprise devices, says Antonio Cocomazzi, staff offensive security researcher at SentinelOne.
For this particular technique, he adds, organizations should ensure that their security softwares anti-tampering protections are robust enough to defend against kernel-mode attacks, such as those exploiting the Process Explorer driver. Implementing additional security measures, like kernel-level monitoring and restricting driver access, can further enhance protection against these advanced threats.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Security End-Run: AuKill Shuts Down Windows-Reliant EDR Processes