The "AuKill" cybercrime tool has emerged, which threat actors are using to disable endpoint detection and response (EDR) defenses used by enterprises before deploying ransomware. It makes use of malicious device drivers to infiltrate systems.
In two recent incidents, researchers from Sophos observed an adversary using AuKill prior to deploying Medusa Locker ransomware; another time, the security vendor discovered an attacker using the EDR killer on an already compromised system before installing the LockBit ransomware.
Christopher Budd, senior manager of threat research at Sophos, says the trend is a response to the growing effectiveness of EDR tools. "Threat actors are starting to recognize that EDR agents provide security vendors a significant advantage in spotting attacks," he says. "Threat actors are targeting the tools causing them the most trouble."
The attacks are similar to a flurry of incidents that Sophos, Microsoft, Mandiant, and SentinelOne reported in December, where threat actors used custom-built drivers to disable security products on already compromised systems, leaving them open to other exploits.
In those attacks, threat actors used malicious drivers that they tricked Microsoft into digitally signing, therefore making them appear legitimate. In other driver attacks, threat actors have exploited a vulnerability in a legitimate device driver to execute ransomware, escalate privileges, and bypass security controls. Some security vendors and researchers commonly refer to the technique as a "bring your own vulnerable driver" or BYOVD attack.
Aukill itself is a tool that falls into the BYVOD category. It takes advantage of a legitimate but outdated and exploitable version of a driver that Microsoft's Process Explorer 16.32 uses, to disable EDR processes.
Bring Your Own Vulnerable Driver
The vulnerable Process Explorer driver that AuKill leverages — like other drivers — has privileged access on installed systems and can interact with and terminate running processes.
It's a free tool that allows users to get detailed information on all running processes on a system, their executable paths, performance metrics, and other information. It offers multiple features for monitoring real-time system activity, prioritizing processes and identity, terminating processes, and executing other functions.
Budd says that in the recent ransomware attacks that Sophos observed, the threat actor injected the tool into systems on which they had already gained access. Once on a system, AuKill drops a driver named PROCEXP.SYS from release version 16.32 of Process Explorer into the same location as the legitimate version of the Process Explorer driver (PROCEXP152.sys).
"The [legitimate] Process Explorer driver v.16.32 does not limit its functionality to working with the main Process Explorer executable," Budd says. "So other programs may send API calls to the driver to take advantage of its functionality." In AuKill's case, the tool abuses the legitimate driver to execute instructions to shut down EDR and other security controls on the compromised computer. "They leverage the existing functionality in the Process Explorer driver that permits Process Explorer to terminate running programs," he says.
Sophos has so far analyzed six different versions of AuKill and noticed some substantial changes with each new version. Newer versions, for instance, now target more EDR processes and services for termination. They also include a feature that continuously probes EDR processes and services to ensure that terminated processes remain that way through restart attempts. The malware authors have also added features to make AuKill more robust by having AuKill run multiple threads at once to protect itself from being terminated in response, Budd says.
Sophos' analysis of AuKill showed it to contain similarities in code with BackStab, an open source tool that surfaced in June 2021 that also abused the Process Explorer driver to kill EDR tools. The company's researchers spotted a LockBit actor using BackStab to disable EDR on systems as recently as last November.