Ransomware Operators Leverage AuKill Tool to Disable Security Solutions


April 20, 2023

World map

A new attack tool called AuKill is being leveraged by threat actors that abuses MS Process Explorer driver to disable EDR (Endpoint Detection and Response) solutions to deploy stealthy backdoors and deliver ransomware payloads.

These “Bring Your Own Vulnerable Driver” (BYOVD) attacks drop drivers with kernel privileges that are signed with a valid digital certificate, making this technique difficult to detect.

AuKill bears resemblance to a similar open-source tool called Backstab used by the LockBit gang that also abuses the MS Process Explorer driver to bypass security solutions.

"The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target's protection and deploy the ransomware," Bleeping Computer reports.

"In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware."

Takeaway: Tools like AuKill and Backstab aren’t the only ways to bypass endpoint protections. Unfortunately, bypassing security controls and endpoint protection solutions like EDR is fairly easy and has been going on for a long time.  

There are numerous examples of hard-coded AV/NGAV/EDR/XDR bypasses that lets an attack slip by without an alert being triggered. Attackers have also been observed using universal unhooking techniques to bypass security tools. Universal unhooking basically blinds endpoint protection tools to the malicious activity, rendering them ineffective for detecting the attack.

Code hooking is a technique used by legitimate software, including endpoint protection tools, to gain needed visibility into activity on the network. Universal unhooking techniques hijack execution flow and allow attackers to deploy a rootkit, for example, then obfuscate subsequent processes and network connections.

Organizations require both a robust prevention and an agile resilience strategy to defend against today’s more complex ransomware attacks. This includes endpoint protection solutions despite the fact that they can be bypassed or unhooked in certain instances.  

It also includes good patch management, offsite data backups, identity and access controls, employee awareness training, and organizational procedure and resilience testing for ransomware readiness plans to be successful.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.