A new cybercrime tool called “AuKill” has revealed itself in the wild, capable of tracking down and killing processes for various EDR services. EDR (Endpoint Detection and Response) tools have had great success in recent years at stopping emerging attacks within organizations that use them. In December of 2022, multiple incidents were observed by Sophos, Microsoft, Mandiant, SentinelOne, and others, where threat actors who had gained initial access to victims’ systems were using custom-built drivers to disable various known security products, allowing them to escalate their attack and deploy other malicious tools without detection.
This new tool, “AuKill,” on the other hand, has been seen taking advantage of a legitimate but outdated (and therefore exploitable) driver that is used by Microsoft’s Process Explorer 16.32. Process Explorer is then used to identify and terminate processes related to EDR services. Sophos has identified six different versions of AuKill so far and has noted that newer versions target more EDR processes and services and can continually monitor to ensure they don’t restart. Once systems are left unprotected, various forms of malware have deployed to victims’ environments, including Lockbit ransomware and MedusaLocker ransomware.
For more information on this malware and how it deploys, as well as blockable Indicators of Compromise, please review Sophos’ full analysis: https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
