Go to listing page

AuKill Exploits Process Explorer Utility via BYOVD, Deploys Ransomware

AuKill Exploits Process Explorer Utility via BYOVD, Deploys Ransomware
A new hacking tool, called AuKill, is increasingly getting traction among attackers due to its stealthy capabilities. The tool allows attackers to kill EDR software used by organizations. Since the beginning of this year, AuKill has been used in at least three ransomware attacks.

AuKill attacks in the wild

Security researchers from the Sophos X-Ops team have observed different adversary groups using AuKill to disable the EDR process during various malicious campaigns.
  • In the first two months of 2023, two different Medusa Locker campaigns were observed. On January 18 and then again on February 14, attackers used AuKill to terminate the EDR security and then deployed Medusa Locker ransomware.
  • February witnessed another campaign in which when AuKill was used to deploy the LockBit ransomware.

How does it operate?

The AuKill tool targets version 16.32 (outdated) of the Process Explorer utility to disable the EDR process via a technique popularly called Bring Your Own Vulnerable Driver (BYOVD).
  • Upon infection, it drops a vulnerable driver (named PROCEXP.SYS) at the same location where genuine drivers of Process Explorer software are stored.
  • Next, it checks if it is running with SYSTEM privileges. If not, it attempts to escalate to the desired privilege by impersonating TrustedInstaller Windows Modules Installer service.
  • It starts multiple threads to scan for and terminate  EDR-related services and processes. The EDR vendors and services targeted by AuKill vary from sample to sample and include Microsoft, Sophos, Splashtop, and Aladdin HASP Software.

Similarities with Backstab malware

AuKill is not the first tool targeting EDR services via Process Explorer. In the past, an open-source tool called Backstab performed a similar maneuver.
  • Additional similarities between the two tools include identical characteristic debug strings and the same code flow logic when dealing with the driver.
  • It is believed that AuKill is developed using the same core technology as seen in Backstab, and has borrowed several modules from it.

Ending notes

The exploitation of vulnerable drivers continues to be a popular attack method. Moreover, the discovery of tools such as AuKill and Backstab indicates that several desperate adversaries are automating their attack methods. To fend off such BYOVD attacks, experts recommend Windows users lock their doors with the driver blocklist feature.
Cyware Publisher

Publisher

Cyware