AuKill: A ‘defense evasion tool’ disables EDR software via BYOVD attack

AuKill: A ‘defense evasion tool’ disables EDR software via BYOVD attack

Ransomware gangs have been using a new defensive evasion tool since the beginning of 2023 to stop endpoint detection and response (EDR) operations before installing malware on devices. The AuKill malware makes use of an outdated Microsoft Windows driver. By employing a Bring Your Own Vulnerable Driver (BYOVD) assault, the previously undocumented “defense evasion tool” known as AuKill disables EDR software.

The AuKill tool disables EDR processes by abusing a deprecated driver used by Microsoft’s Process Explorer version 16.32 before installing a backdoor or ransomware on the target machine. This widely used and reliable tool helps gather data on running Windows processes. It first checks to see if it is already running with SYSTEM privileges; if not, it pretends to be the TrustedInstaller Windows Modules Installer service and requests SYSTEM privileges.

The BYOVD technique relies on threat actors exploiting a valid, but outdated and vulnerable, driver signed by Microsoft to get elevated privileges and disable security protections. The goal is to get around Driver Signature Enforcement, a critical Windows security measure that requires kernel-mode drivers to have been signed by a legitimate code signing authority before they are permitted to operate. The older Process Explorer driver is dropped by the malware into the C:WindowsSystem32drivers directory, which also contains the updated driver. On a computer with a copy of Process Explorer running, both drivers can exist.

In just the first few months of 2023, the tool has been used in at least three ransomware instances to undermine the target’s defenses and spread the malware. Attackers utilized the program in January and February and then released the Medusa Locker ransomware; in February, an attacker used AuKill just before releasing the LockBit ransomware.

This method is common among a variety of threat actors, from state-backed hacking groups to ransomware gangs with financial motives. Threat actors have targeted numerous nations in Asia, Europe, and North America using the Aukill tool across a variety of sectors, including telecommunications, industrial, finance, healthcare, and hospitality.

References:

  • https://www.bleepingcomputer.com/news/security/ransomware-gangs-abuse-process-explorer-driver-to-kill-security-software/
  • https://cyware.com/cyber-security-events
SISA’s Latest
close slider