Security researchers of the Sophos X-Ops team have identified a new defense evasion tool named ‘AuKill’, which helps ransomware actors disable endpoint detection and response (EDR) security tools before they perform additional actions like deploying backdoors, attempting to move laterally in the compromised network or employ the data-locking ransomware payload.
So far, in 2023, Sophos has detected at least three separate ransomware attacks involving Medusa Locker ransomware and Lockbit ransomware. This indicates that AuKill is either sold by a third-party vendor to ransomware gangs or derived from an open-source tool and shared among cybercriminals. In fact, Sophos’ report mentions that AuKill is similar to the Backstab open-source tool that was made publicly available in 2021 and has been previously used by ransomware gangs, including LockBit, so it is most likely an evolution of that tool.
AuKill sabotages the target’s protection tools by abusing an outdated, vulnerable driver named ‘PROCEXP.SYS,’ which is used by version 16.32 of Microsoft’s Process Explorer utility, and uses it to exploit its known flaw and elevate the attacker’s privileges on the host system. This is a common technique known as “bring your own vulnerable driver” (BYOVD), allowing attackers to elevate their privileges on breached systems without having to rely on the presence of vulnerable software or other forms of exploitation.
In short, AuKill requires administrative privileges to work, which the attackers need to ensure via other means. Next, it executes with the “startkey” keyword in the command line argument, and then it impersonates the security context of “TrustedInstaller.exe” to perform privilege escalation to SYSTEM. After that, it copies itself to “C:\Windows\system32” for persistence and then drops the vulnerable driver to fulfill its EDR-disabling role.
https://news.sophos.com/wp-content/uploads/2023/04/image5-1.png
EDR products are often protected even from administrators, but AuKill enables the attackers to take control of the legitimate driver (‘proxexp152.sys’) running in kernel mode, which is enough to bypass all protection policies and disable security tools.
Unfortunately, the development of AuKill is very active, as Sophos has sampled six continually improving versions between November 2022 and February 2023, targeting an increasingly larger number of security products. Currently, in version six, AuKill targets Microsoft, Sophos, and Splashtop, but earlier versions also target Aladdin HASP Software and ElasticSearch.
Aukill’s attempts to terminate the running processes of security tools by abusing the Procexp tool (“TerminateViaProcexp”) or forceful termination (“TerminateProcess”). Additionally, it disables the services so that they won’t start after system reboot, and in version six, it also unloads their drivers to break their installation completely.
https://news.sophos.com/wp-content/uploads/2023/04/image7-1.png
The trend of disabling EDR clients continues to rise in 2023 as ransomware actors find that this approach helps them increase the chances of successful ransomware attacks. The later defenders realize an intrusion, the greater the damage and network infiltration the threat actors will have achieved, so disabling security tools is crucial.
Ransomware recovery expert MonsterCloud can help mitigate EDR-disabling threats by assisting your organization in establishing a holistic security approach that includes disabling or restricting the use of vulnerable drivers, monitoring for the loading of drivers not on a defined allowlist, and stopping all unauthorized activities before they can inflict any damage.
Sources:
- https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
- https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
- https://github.com/Yaxser/Backstab
- https://github.com/sophoslabs/IoCs
