securityaffairsApr 24, 2023
#AuKill tool uses #BYOVD attack to disable #EDR software
https://securityaffairs.com/145227/malware/aukill-tool-byovd-attack.html
#securityaffairs #hacking #malware
AuKill tool uses BYOVD attack to disable EDR software

Ransomware operators use the AuKill tool to disable EDR software through Bring Your Own Vulnerable Driver (BYOVD) attack. Sophos researchers reported that threat actors are using a previously undocumented defense evasion tool, dubbed AuKill, to disable endpoint detection and response (EDR) software. The tool relies on the Bring Your Own Vulnerable Driver (BYOVD) technique to disable the […]

Security Affairs
J. R. DePriest    :EA DATA. SF:Apr 24, 2023

If you haven't patched Microsoft Process Explorer, prepare to get pwned

BYOVD - Bring Your Own Vulnerable Driver

The AuKill tool, which abuses the outdated 16.32 version of Microsoft's Process Explorer driver to disable the EDR processes, was used in at least three ransomware attacks since the start of the year. In two of the incidents – one in January, the other a month later – attackers deployed the Medusa Locker ransomware after AuKill paved the way through the EDR defenses.

#ProcessExplorer #BYOVD #EDR #Ransomware #Microsoft #AuKill #Medusa #LockBit #InfoSec

If you haven't patched Microsoft Process Explorer, prepare to get pwned

AuKill abuses a deprecated tool to disable security processes ahead of the attack

The Register
Adam Shostack  Apr 21, 2023

You can't defend against Windows administrator. Trying is almost always a waste of time. You have to stop the attacker before they get admin, or use a system that doesn't have an all-powerful administrator.

#aukill

Show threadSophos X-OpsApr 21, 2023

We looked at what we suspect are six incremental stages of the #AuKill #malware's development. Each new version added a few different features. And as time went on, we also saw the creators add new programs to the kill list.

Oddly, most of the programs added to the kill list in later versions were not EDR or antimalware utilities. One version is designed to kill the Windows version of the ElasticSearch application.

A few others included an enterprise remote-access tool called Splashtop to the kill list. One version targeted software called Aladdin HASP - a now-defunct tool designed to help manage software licensing over a network.

(We've published IOCs for this investigation to our Github at https://github.com/sophoslabs/IoCs/blob/master/atk-backstab-d.csv )

4/

IoCs/atk-backstab-d.csv at master · sophoslabs/IoCs

Sophos-originated indicators-of-compromise from published reports - IoCs/atk-backstab-d.csv at master · sophoslabs/IoCs

GitHub
Show threadSophos X-OpsApr 21, 2023

Running the tool is fairly simple. The attacker just runs it as an administrator, passing as a command flag a password the creator hardcoded into #AuKill

Then AuKill copies itself into the System folder, drops the hijacked ProcExp.sys driver into the Drivers folder, and registers itself as a Windows service.

After that, the #malware just persistently runs in the background, looking for any running program that has a name matching the hardcoded list it carries with it. When it sees one of those programs (mostly Sophos endpoint security and Microsoft Defender) it sends a command to try to terminate the program.

3/

Show threadSophos X-OpsApr 21, 2023

The #AuKill #malware we found is a custom-built utility that was used by threat actors after they had already gained a foothold inside the target's network, and administrative privileges on one or more machines.

Its singular goal is to sabotage endpoint security tools, preventing antimalware from preventing the criminals from doing harm.

The method by which it does this is somewhat unique: It abuses a now-deprecated, signed driver from Microsoft's Process Explorer to kill process names hardcoded into the malware.

They didn't even bother trying to hide it. The legitimate Process Explorer driver is named procexp152.sys, and the one used by AuKill is named #procexp.sys. It is, in fact, the driver that shipped with version 16.32 of Process Explorer.

2/

Sophos X-OpsApr 21, 2023

Hey there. @threatresearch here again, taking over the X-Ops Mastadon to talk about some research we posted this week.

We stumbled upon a malicious tool earlier this year, while our EDR and incident response teams were called in to perform postmortem investigations of ransomware attacks.

While reviewing logs, we found that the threat actors had used a custom-designed #malware we're calling #AuKill as a way to terminate the #EDR agent and endpoint security software the target had installed.

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver

A short 🧵 begins here

‘AuKill’ EDR killer malware abuses Process Explorer driver

Driver-based attacks against security products are on the rise

Sophos News