AuKill: a BYOVD attack tool used to disable EDR softwares
AuKill is a new hacking tool used by threat actors to disable Endpoint Detection & Response (EDR) software on victims’ systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.
The malware, first spotted by Sophos X-Ops security researchers, drops a vulnerable Windows driver (procexp.sys) next to the one used by Microsoft’s Process Explorer to escalate privileges and disable security software.
Multiple versions of AuKill have been observed in the wild, deployed in at least three separate incidents that have led to Medusa Locker and LockBit ransomware infections since the start of the year.
AuKill is similar to an open-source tool called Backstab, previously deployed by the LockBit gang in at least one attack.
Backstab is a tool capable of killing antimalware protected processes by leveraging sysinternals’ Process Explorer (ProcExp) driver, which is signed by Microsoft.
Indicators of Compromise
SHA256 |
---|
1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8 |
83a17f3fda45b00e34934ddd0d5ed72c479170cb39097938f07a5dc6e92068c3 |
761330a5e5b16f27fef971e1f41d309ee9f5f158dd09e81b2b31cda6dafa59f0 |
08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540 |
a780972312e2644f29555ec9275053eebce37befe038eabaeb783443209bc921 |
7bca36f037557b0f84412a666ef76dee8bfec1bc7754112b95f34634b8b72fed |
d579b1853c528e54464c2607e559591ee01b0ab75bc016c14de1c38068328a81 |
db0b5c434ddc7c97505a8be24431e9fbe484c2113df4ddf061aee91c35eab8b6 |
52b9a7b44154bbb9d81a581a7de4902b1c661559ea87803d9cb85339805bd6ca |
79357c9248aea61fa25f0641f2eeb13bb259da645ab2e8dd696b702ed4fa976b |
cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc |