Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack

April 24, 2023IRavie LakshmananEndpoint Security / BYOVD

Ransomware hackers

Threat actors are employing a previously undocumented “defense evasion tool.” AuKill which is designed to disable endpoint detection and response (EDR) software using a Bring Your Own Vulnerable Driver (BYOVD) attack.

“The AuKill tool exploits an outdated version of the driver used by version 16.32 of Microsoft’s Process Explorer utility to disable EDR processes before deploying a backdoor or ransomware on the target system,” said the Sophos researcher Andreas Klopsch in a report published in the past. week

Incidents analyzed by the cybersecurity firm show the use of AuKill since early 2023 to deploy various strains of ransomware such as Medusa Locker and LockBit. Six different versions of the malware have been identified so far. The oldest AuKill sample has a build timestamp of November 2022.

The BYOVD technique relies on threat actors misusing a legitimate, but outdated and exploitable driver signed by Microsoft (or using a stolen or leaked certificate) to gain elevated privileges and disable security mechanisms.

By using valid and susceptible drivers, the idea is to bypass a key Windows safeguard known as Driver Signature Enforcement that ensures that kernel-mode drivers have been signed by a valid code signing authority before they are allowed to run .

“The AuKill tool requires administrative privileges to function, but cannot give those privileges to the attacker,” Klopsch noted. “Threat actors using AuKill leveraged existing privileges during the attacks, when they were obtained through other means.”

This is not the first time that the Process Explorer driver signed by Microsoft has been used as a weapon in attacks. In November 2022, Sophos also detailed LockBit affiliates’ use of an open-source tool called Backstab that abused outdated driver versions to terminate protected anti-malware processes.

Earlier this year, a malvertising campaign using the same driver was detected as part of an infection chain that distributed a .NET loader called MalVirt to implement malware that steals information from FormBook.

The development comes as the AhnLab Security Emergency Response Center (ASEC) revealed that mismanaged MS-SQL servers are being weaponized to install the Trigona ransomware, which shares overlaps with another strain called CryLock.

Actors of the Play ransomware (aka PlayCrypt) are also found to have been observed using custom data collection tools that allow listing all users and computers on a compromised network and copying files from the shadow copy service of volume (VSS).

Grixba, a .NET-based information stealer, is designed to scan a machine for security programs, backup software, and remote administration tools, and exfiltrate the collected data in the form of CSV files that are then compressed in ZIP files.

Also used by the cybercriminal gang, tracked by Symantec as Balloonfly, is a VSS copy tool written in .NET that makes use of the AlphaVSS framework to list files and folders in a VSS snapshot and copy them to a destination directory before encryption


Learn how to stop ransomware with real-time protection

Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.

Save my seat!

Play ransomware stands out not only for using intermittent encryption to speed up the process, but also because it does not operate on a ransomware-as-a-service (RaaS) model. Evidence gathered so far points to Balloonfly carrying out the ransomware attacks and also developing the malware.

The Grixba copy tool and VSS are the latest in a long list of proprietary tools, such as Exmatter, Exbyte, and PowerShell-based scripts, that ransomware actors use to establish more control over their operations, while they add additional layers of complexity to persist. compromised environments and evade detection.

Another technique increasingly adopted by financially motivated groups is the use of the Go programming language to develop cross-platform malware and resist analysis and reverse engineering efforts.

In fact, a Cyble report last week documented a new Golang ransomware called CrossLock that uses the double extortion technique to increase the likelihood of its victims paying up, as well as taking steps to avoid event tracking for Windows (ETW).

“This functionality can allow malware to avoid detection by security systems that rely on event logs,” Cyble said. “CrossLock Ransomware also performs several actions to reduce the chances of data recovery while increasing the effectiveness of the attack.”

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
Recently, tech company Ikaroa has reported that malicious actors are using the newly discovered AuKill tool to disable EDR (Endpoint Detection and Response) software. The attack, dubbed BYOVD (Bring Your Own Vulnerabilities Discovered) highlights the importance of updating security measures in order to prevent ransomware hackers from carrying out their attacks.

EDR software is designed to detect, analyze and block threats to an organization’s system such as malware. The AuKill tool targets the vulnerabilities in EDR software, rendering them ineffective for protection. The tool works by exploiting known bypasses, allowing attackers to evade endpoint security protections.

Furthermore, BYOVD gives potential hackers the advantage of not needing to disclose the vulnerabilities to the software vendors. This can be done by using the same tools malicious actors use to conduct attacks with, granting them an unobstructed journey to their target’s endpoint systems.

The BYOVD technique is an especially dangerous one, allowing attackers to use their own targeted attack vectors which have been carefully crafted and discovered to evade the confines of security systems. This presents a particular problem since EDR software is designed to detect and mitigate such attacks. It is therefore important for organizations to apply security patches and threat intelligence to their endpoint systems in order to stay one step ahead of the attackers.

Ikaroa is committed to offering cutting-edge security solutions and providing its customers with complete protection against the ever-changing threat landscape. Its range of services includes automated detection and response, malware analysis and malware removal, along with advanced IT security solutions which are designed to address current and emerging threats.

In conclusion, it is essential for organizations to be aware of the BYOVD technique and to regularly update their security measures in order to protect against the damaging effects of ransomware attacks. Ikaroa is dedicated to helping companies stay secure by providing innovative security solutions and threat intelligence.


Leave a Reply

Your email address will not be published. Required fields are marked *