Hackers are using a brand new tool to disable antivirus programs installed on devices before deploying more suspicious malware and sometimes even ransomware, researchers have warned.
Cybersecurity researchers at Sophos X-Ops recently observed cybercriminals using the Bring Your Own Vulnerable Driver (BYOVD) method to implement a tool called AuKill, capable of disabling security programs.
First, they have to drop a legitimate but vulnerable driver onto the target endpoint. This is usually done via email attacks that distribute the driver via phishing emails. A driver that can run with kernel privileges is called procexp.sys and is usually shipped alongside the actual driver used by Microsoft Process Explorer v16.32 (a legitimate program that collects data about active Windows processes).
Bring your own sensitive driver
When a legitimate program launches a malicious DLL, it will first check if it is running with SYSTEM privileges and make sure it does by masquerading as a TrustedInstaller Windows module installer. It then runs multiple threads, testing and disabling various security processes and services.
After disabling the security programs on the computer, AuKill operators will deploy the stage two malware. According to the Sophos X-Ops report, cyber criminals sometimes deploy Medusa Locker or LockBit – both extremely powerful and popular ransomware variants.
“The tool has been used in at least three ransomware incidents since early 2023 to sabotage target protection and ransomware deployment,” the researchers warn. “In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, the attacker used AuKill just before the Lockbit ransomware was deployed.”
While the tool seems relatively new and has just been spotted, one of its variants has a timestamp of November 2022. Researchers conclude that the latest version discovered was compiled in mid-February. Its code is similar to that of Backstab, an open source tool that can also disable antivirus programs. Researchers have seen LockBit operators implement Backstab in the past.
“We found many similarities between the open source tool Backstab and AuKill,” says the Sophos team. “Some of these similarities include similar distinctive debug strings and nearly identical code flow logic for interacting with the driver.”
By: Beeping Computer (opens in a new tab)