Security News > 2023 > April > Ransomware gangs abuse Process Explorer driver to kill security software
Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response Software on targets' systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver attacks.
The AuKill malware, first spotted by Sophos X-Ops security researchers, drops a vulnerable Windows driver next to the one used by Microsoft's Process Explorer v16.32.
To escalate privileges, it first checks if it's already running with SYSTEM privileges, and if not, it impersonates the TrustedInstaller Windows Modules Installer service to escalate to SYSTEM. To disable security software, AuKill starts several threads to continuously probe and disable security processes and services.
Multiple AuKill versions have been observed in the wild, some deployed in at least three separate incidents that have led to Medusa Locker and LockBit ransomware infections since the start of the year.
AuKill is similar to an open-source tool called Backstab, which also uses a Process Explorer driver to disable security solutions running on compromised devices.
The oldest AuKill sample has a November 2022 compilation timestamp, while the newest was compiled in mid-February when it was also used as part of an attack linked to the LockBit ransomware group.
News URL
Related news
- Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disaster (source)
- Ransomware gang deploys new malware to kill security software (source)
- Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds (source)
- MFA bypass becomes a critical security issue as ransomware tactics advance (source)