Ransomware groups are leveraging a new defense evasion tool that abuses an out-of-date Microsoft Windows driver to disable endpoint detection and response (EDR) processes before dropping malware onto systems.
The tool, dubbed “AuKill” by researchers at Sophos, has been observed in at least three ransomware incidents since the start of the year. In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill before deploying Lockbit ransomware.
AuKill, which exploits an outdated 16.32 version of Microsoft's Process Explorer driver, employs a technique known as “bring your own vulnerable driver (BYOVD) attack” to disable Process Explorer and bypass security defenses.
The BYOVD technique involves a threat actor using a legitimately signed and vulnerable driver to perform malicious actions on the system. In a BYOVD attack, the attacker can use the vulnerabilities in the driver to execute malicious actions with kernel-level privileges.
Sophos researchers say they discovered six different variants of the AuKill malware, with four of them sharing similarities with Backstab, an open-source tool capable of killing antimalware protected processes by abusing Process Explorer driver. Some of these similarities include characteristic debug strings, and nearly identical code flow logic to interact with the driver, suggesting that the AuKill developer had borrowed some code from Backstab.
AuKill is designed to both abuse a legitimate but outdated driver while also getting Microsoft to digitally sign it. Malware drops the older driver into the C:WindowsSystem32drivers path, where the newer Process Explorer driver is located.
“Both drivers can be present on a machine that has a copy of Process Explorer running. The AuKill installer also drops an executable copy of itself to either the System32 or the TEMP directory, which it runs as a service,” Sophos notes.
Although AuKill requires administrative privileges to work, it does not provide the attacker with those privileges. In analyzed cases the threat actors using AuKill took advantage of existing privileges during the attacks, when they gained them through other means.