Threat actors are using a new hacking tool called AuKill to disable Endpoint Detection & Response (EDR) software on target systems before deploying backdoors and ransomware in BYOVD (Bring Your Own Vulnerable Driver) attacks.

In such attacks, malicious actors drop legitimate drivers signed with a valid certificate and able to run with kernel privileges on victims’ devices to disable security solutions and take control of the system.

This technique is popular among various threat actors, from state-backed hacking groups financial motivations ransomware gangs.

The AuKill malware, first spotted by security researchers at Sophos X-Ops, drops a vulnerable Windows driver (procexp.sys) alongside that used by Microsoft’s Process Explorer v16.32. This is a very popular and legitimate utility that helps to collect information about active Windows processes.

To elevate privileges, it first checks if it is already running with SYSTEM privileges, and if not, it impersonates the TrustedInstaller Windows Modules Installer service to switch to SYSTEM .

To disable security software, AuKill starts multiple threads to permanently probe and disable security processes and services (and ensure they stay disabled by preventing them from restarting).

So far, multiple versions of AuKill have been seen in the wild, some deployed in at least three separate incidents that have led to Medusa Locker and LockBit ransomware infections since the start of the year.

“The tool has been used in at least three ransomware incidents since the start of 2023 to sabotage target protection and deploy ransomware,” Sophos X-Ops said.

“In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just before deploying Lockbit ransomware.”

AuKill Timeline
AuKill Timeline (Sophos X-Ops)

​AuKill is similar to an open source tool called stab in the backwhich also uses a Process Explorer driver to disable security solutions running on compromised devices.

Backstab was previously deployed by the LockBit gang in at least one attack observed by Sophos X-Ops when analyzing the latest version of the cybercriminal group’s malware, LockBit 3.0 or LockBit Black.

“We found multiple similarities between the open source tool Backstab and AuKill,” the researchers said.

“Some of these similarities include similar and characteristic debug chains and nearly identical code flow logic for interacting with the driver.”

The oldest AuKill sample has a compilation timestamp of November 2022, while the most recent was compiled in mid-February when it was also used in an attack linked to the LockBit ransomware group.


Source link