Drivers are low-level system components that can access critical security structures in kernel memory. Threat actors increasingly have been relying on abusable drivers to disable security tools. Sophos believes the author of AuKill used multiple code snippets from, and built their malware around, the core technique introduced by Backstab. AuKill entries (highlighted) in the list of Windows Services Some of these similarities include similar, characteristic debug strings, and nearly identical code flow logic to interact with the driver. We have found multiple similarities between the open-source tool Backstab and AuKill. Through analysis and threat hunting, Sophos has collected six different variants of the AuKill malware. Three months later, Sentinel One published a report about a tool they called MalVirt, which uses the same Process Explorer driver to disable security products before deploying the final payload on the target machine. Last November, for example, Sophos X-Ops reported that a threat actor working for the LockBit ransomware group used Backstab to disable EDR processes on an infected machine. In fact, Sophos and other security vendors have previously reported on multiple incidents where either Backstab, or a version of this driver, was used for malicious purposes. The method of abusing the Process Explorer driver to bypass EDR systems isn’t new it was implemented in the open-source tool Backstab, first published in June 2021. This technique is commonly referred to as a “bring your own vulnerable driver” (BYOVD) attack. In contrast, the AuKill tool abused a legitimate, but out-of-date and exploitable, driver. In December 2022, Sophos, Microsoft, Mandiant, and SentinelOne reported that a number of attackers had used custom-built drivers to disable EDR products. This is not the first time we and other vendors reported on multiple threat groups simultaneously deploying software designed to kill EDR agents that protect computers. The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target’s protection and deploy the ransomware: In January and February, attackers deployed Medusa Locker ransomware after using the tool in February, an attacker used AuKill just prior to deploying Lockbit ransomware. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.Over the past several months, Sophos X-Ops has investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool we’ve dubbed AuKill. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded. The Process Explorer display consists of two sub-windows. Process Explorer (ZIP) shows you information about which handles and DLLs processes have opened or loaded. Ever wondered which program has a particular file or directory open? Now you can find out.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |