Ransomware Hackers Use AuKill Tool to Disable EDR Software Using BYOVD Attack
Threat actors use previously undocumented “defense evasion tools” dubbed AuKill designed to disable endpoint detection and response (EDR) software via a Bring Your Own Vulnerable Driver (BYOVD) attack.
“AuKill tool abuses an outdated version of driver used by version 16.32 of the Microsoft utility, Process Explorerto disable the EDR process before applying the backdoor or ransomware on the target system,” Sophos researcher Andreas Klopsch said in a report published last week.
Incidents analyzed by the cybersecurity firm point to the use of AuKill as early as 2023 to spread various types of ransomware such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date. The oldest AuKill sample displays the November 2022 compilation timestamp.
The BYOVD technique relies on threat actors abusing legitimate, but outdated and exploitable drivers signed by Microsoft (or using stolen or leaked certificates) to gain elevated privileges and disable security mechanisms.
By using a legitimate and exploitable driver, the idea is to bypass Windows key protection known as Driver Signature Enforcement which ensures kernel mode drivers are signed by a valid code signing authority before they are allowed to run.
“The AuKill tool requires administrative privileges to work, but cannot grant those privileges to an attacker,” the Sophos researcher wrote. “Threat actors using AuKill took advantage of privileges that existed during an attack, when they acquired them through other means.”
This is not the first time Microsoft’s signed Process Explorer driver has been weaponized in an attack. In November 2022, Sophos also detailed the use of the so-called open source tool by LockBit affiliates Stab in the back which abuses old versions of drivers to terminate anti-malware protected processes.
Then earlier this year, a malvertising campaign was spotted using the same driver to distribute a .NET loader named MalVirt to spread FormBook information-stealing malware.
The development comes as the AhnLab Security Emergency Response Center (ASEC) revealed that poorly managed MS-SQL server is being armed to install Trigona ransomware, which shares an overlap with another type called CryLock.
It also follows findings that actor Play ransomware (aka PlayCrypt) has been observed using a special data harvesting tool that allows it to enumerate all users and computers on a compromised network and copy files from the Volume Shadow Copy Service (VSS).
Grixba, a .NET-based information stealer, is designed to scan machines for security programs, backup software, and remote administration tools, and extract the collected data in the form of CSV files which are then compressed into ZIP archives.
Also used by gangs of cybercriminals, tracked by Symantec as Balloonfly, is a VSS Copy Tool written in .NET that leverages AlphaVSS framework to list the files and folders in the VSS snapshot and copy them to the destination directory before encryption.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Play ransomware is notorious for not only exploiting intermittent encryption to speed up the process, but also for the fact that it doesn’t operate on a ransomware-as-a-service (RaaS) model. The evidence gathered so far suggests that Balloonfly carried out the ransomware attack as well as developed the malware itself.
Grixba and VSS Copy Tool is the latest in a long list of proprietary tools like Exmatter, Exchangeand PowerShell-based scripts used by ransomware actors to establish more control over their operations, while adding an extra layer of complexity to survive compromised environments and evade detection.
Another technique increasingly being adopted by financially motivated groups is the use of the Go programming language to develop cross-platform malware And refuse analysis And reverse engineering effort.
Indeed, a report from Cyble last week documented a new GoLang ransomware called CrossLock that uses a double blackmail technique to increase the payout probability of its victims, in addition to taking steps to avoid event tracking for Windows (ETW).
“This functionality can enable malware to evade detection by security systems that rely on event logs,” Cyble said. “CrossLock Ransomware also takes several actions to reduce the chances of data recovery while increasing the effectiveness of the attack.”