AuKill is a new hacking tool used by threat actors to disable Endpoint Detection & Response (EDR) software on victims’ systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.

The malware, first spotted by Sophos X-Ops security researchers, drops a vulnerable Windows driver (procexp.sys) next to the one used by Microsoft’s Process Explorer to escalate privileges and disable security software.

Multiple versions of AuKill have been observed in the wild, deployed in at least three separate incidents that have led to Medusa Locker and LockBit ransomware infections since the start of the year.

AuKill is similar to an open-source tool called Backstab, previously deployed by the LockBit gang in at least one attack.

Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer (ProcExp) driver, which is signed by Microsoft.

Indicators of Compromise

SHA256
1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8
83a17f3fda45b00e34934ddd0d5ed72c479170cb39097938f07a5dc6e92068c3
761330a5e5b16f27fef971e1f41d309ee9f5f158dd09e81b2b31cda6dafa59f0
08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540
a780972312e2644f29555ec9275053eebce37befe038eabaeb783443209bc921
7bca36f037557b0f84412a666ef76dee8bfec1bc7754112b95f34634b8b72fed
d579b1853c528e54464c2607e559591ee01b0ab75bc016c14de1c38068328a81
db0b5c434ddc7c97505a8be24431e9fbe484c2113df4ddf061aee91c35eab8b6
52b9a7b44154bbb9d81a581a7de4902b1c661559ea87803d9cb85339805bd6ca
79357c9248aea61fa25f0641f2eeb13bb259da645ab2e8dd696b702ed4fa976b
cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc