Security researchers from the Sophos X-Ops team have discovered a novel defense evasion tool called ‘AuKill.’ This tool allows ransomware perpetrators to deactivate endpoint detection and response (EDR) security measures before proceeding with further actions, such as deploying backdoors, attempting lateral movement within the infiltrated network, or executing the data-encrypting ransomware payload.
In 2023, Sophos has identified a minimum of three distinct ransomware attacks involving Medusa Locker and Lockbit ransomware. This implies that AuKill is either being marketed by a third-party supplier to ransomware groups or is founded on an open-source tool and shared among cybercriminals. Indeed, Sophos’ report highlights that AuKill bears a resemblance to the Backstab open-source tool, which was released in 2021 and has previously been employed by ransomware groups, including LockBit, so it is likely an advanced version of that tool.
AuKill compromises the target’s defensive tools by taking advantage of an out-of-date, susceptible driver called ‘PROCEXP.SYS,’ used by version 16.32 of Microsoft’s Process Explorer utility. It employs this driver to exploit its known vulnerability and elevate the attacker’s privileges on the host system. This method is referred to as “bring your own vulnerable driver” (BYOVD) and enables attackers to raise their privileges on compromised systems without relying on vulnerable software or other exploitation forms.
In a nutshell, AuKill necessitates administrative privileges to operate, which attackers must acquire through other means. It then runs with the “startkey” keyword in the command line argument, assumes the security context of “TrustedInstaller.exe” for privilege escalation to SYSTEM, duplicates itself to “C:\Windows\system32” for persistence, and deploys the vulnerable driver to fulfill its EDR-deactivating role.
EDR products are typically safeguarded even from administrators, but AuKill enables attackers to manipulate the legitimate driver (‘proxexp152.sys’) operating in kernel mode, circumventing all protection policies and deactivating security solutions.
Unfortunately, AuKill is under ongoing development, with Sophos witnessing six progressively enhanced versions between November 2022 and February 2023, each targeting an increasing number of security products. Presently, in its sixth version, AuKill concentrates on Microsoft, Sophos, and Splashtop, but earlier versions also targeted Aladdin HASP Software and ElasticSearch.
AuKill attempts to terminate security tools’ active processes either by misusing the Procexp tool (“TerminateViaProcexp”) or by forcibly ending them (“TerminateProcess”). It also disables the services to stop them from restarting after a system reboot, and in version six, it unloads their drivers to entirely disrupt their installation.
The trend of deactivating EDR clients continues to grow in 2023 as ransomware actors realize that this approach increases the probability of successful ransomware attacks. The later defenders identify an intrusion, the more significant the damage and network penetration the threat actors can accomplish, making disabling security tools crucial.
Ransomware recovery expert MonsterCloud can help combat EDR-deactivating threats by assisting your organization in implementing a thorough security strategy. This includes disabling or restricting the use of vulnerable drivers, monitoring driver loading not on a predefined allowlist, and stopping all unauthorized activities before they can inflict any damage.”