AuKill EDR Post

Summary

AuKill is a malicious software, often used by ransomware groups, designed to disable endpoint detection and response (EDR) security solutions on a system, essentially allowing attackers to bypass security measures before deploying ransomware by terminating EDR processes using a vulnerable, outdated driver like the Process Explorer driver from Sysinternals; effectively “killing” the EDR functionality.  Key points about AuKill:

  • Function: Primarily used to evade security by disabling EDR software, often seen in ransomware attacks.
  • Method: Exploits a legitimate but outdated version of a driver, like the Process Explorer driver, which gives it elevated privileges to terminate processes.
  • Distribution: Delivered as a dropper that installs the vulnerable driver on the system.
  • Associated Groups: Linked to ransomware groups like Medusa Locker and LockBit.

Main Source

‘AuKill’ EDR killer malware abuses Process Explorer driver

Driver-based attacks against security products are on the rise
Written by Andreas Klopsch
April 19, 2023

Through analysis and threat hunting, Sophos has collected six different variants of the AuKill malware. We have found multiple similarities between the open-source tool Backstab and AuKill. Some of these similarities include similar, characteristic debug strings, and nearly identical code flow logic to interact with the driver.

Medium

What is Bring your own Vulnerable Driver

BYOVD is an attack technique in which threat actors install a legitimate but vulnerable driver on a target machine. This vulnerable driver is then exploited to elevate privileges or execute code on the target system.

Attackers take the advantages of driver both created by and signed by Microsoft. a process Explorer driver is a part of Microsoft Sysinternals suite of administration tools.

https://cymulate.com/threats/aukill-edr-killer-malware-abuses-process-explorer-driver/

For example, the driver can receive the IO control code IOCTL_CLOSE_HANDLE from user-mode applications, which commands the driver to close a protected process handle, resulting in terminating a process.

If the sample does not run with SYSTEM privileges, it continues by attempting to elevate its rights by impersonating the security context of TrustedInstaller.exe.

First, AuKill starts the Trusted Installer service.

Then it duplicates the token of TrustedInstaller.exe using the DuplicateTokenW WINAPI function, and passes the token to CreateProcessWithTokenW to elevate itself to SYSTEM once the process restarts.

Finally, it copies itself to C:Windowssystem32, installs itself as a service, and starts the service.