Researchers have discovered a new malware that remained under the radar for quite some time. Identified is AuKill, it is a potent EDR kill malware that leverages BYOVD to disable EDR clients. The hackers have already used the tool in recent ransomware attacks.
AuKill Malware Disables EDR Via BYOVD
According to a recent post from Sophos, their researchers have found a previously-unreported malware actively used in the wild.
Identified as “AuKill,” the malware allows the attackers to disable EDR clients to evade the target systems’ security.
In brief, AuKill leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to disable EDR. It uses the older driver version that the Microsoft utility “Process Explorer” version 16.32 used.
Specifically, the malware drops the older PROCEXP.SYS driver version to the C:\Windows\System32\drivers path – the location where the legitimate driver version also exists. It then kills the legit driver to take over its place with the (now)malicious driver. Besides, AuKill also drops its executable copy to the system’s temp folder to run as a service.
Once done, it then executes the payload with admin privileges that the attackers could gain through other means. (The malware won’t execute without admin privileges – a mandatory requirement that AuKill checks at the initial stage.)
After fulfilling all its requirements, AuKill then disables EDR by starting a sequence of threads to keep the service disabled.
Malware Already Used In Active Attacks
The researchers noticed AuKill playing an active role in recent ransomware campaigns. That two include Medusa Locker ransomware incidents that happened in January and February 2023 and a LockBit ransomware attack in February.
Until the time of disclosure, Sophos discovered six different AuKill malware variants, indicating the gradual improvements in its malicious functionalities.
Nonetheless, AuKill doesn’t seem unique as analyzing the malware revealed numerous similarities with the open-source tool Backstab, which has also been abused in malicious campaigns. Hence, it appears that the malware authors used multiple code snippets from Backstab to derive their own tool.
To prevent AuKill and other such threats involving BYOVD, the researchers advise users to keep their systems up-to-date. Also, users must deploy endpoint protection, tamper protection, and vulnerability management measures to prevent such attacks.
Let us know your thoughts in the comments.