HQ/EMEAFind out how we can help your business
Threat groups have been recently using the AuKill hacking tool to obfuscate their attacks. This emerging tool could enable an attacker to terminate EDR software, which is common among organisations. Researchers confirmed that AuKill had aided at least three ransomware campaigns in the past months.
Based on reports, a couple of Medusa Locker ransomware campaigns adopted the new tool in the first two months of this year. The first attack appeared on January 18, and another attack emerged on valentines. The threat actors used the AuKill to kill the EDR security and launched the Medusa Locker ransomware.
In addition, the notorious LockBit ransomware group has also employed the new malicious tool to execute their campaign in February this year.
Threat actors leverage the BYOVD technique to maximise the capability of the AuKill hacking tool.
Researchers explained that the AuKill hacking tool targets an outdated version of the Process Explorer utility to deactivate the EDR via Bring Your Own Vulnerable Driver (BYOVD) technique. Subsequently, the campaign could drop a vulnerable drive at the exact location upon infection.
The tool then scans the targeted network to see if it operates with SYSTEM privileges. If not, the campaign will escalate to the required privilege by spoofing the TrustedInstaller Windows Modules Installer service.
Subsequently, the campaign will initiate multiple threads to scan for and kill EDR-related services and processes. The AuKill, too, could target various EDR vendors and services, including Microsoft, Splashtop, Sophos, and Aladdin HASP Software.
Experts claimed that AuKill is like an open-source tool called Backstab since it performed an identical campaign in the past. In addition, both hacking tools contain characteristics that could debug strings and similar code flow logic when transacting with the targeted driver.
Outdated and vulnerable drivers have continued to suffer from specific attacks that could exploit their weaknesses. Furthermore, the emergence of these hacking tools, such as AuKill and Backstab, implies that desperate threat groups are resorting to automated attack processes.
Cybersecurity experts recommend that Windows users adopt a driver blocklist feature to mitigate threats like the BYOVD.
