Project Hyphae
Search

“AuKill” Malware Being Used To Kill EDR Processes Before Deploying Ransomware

Share This Post

A new cybercrime tool called “AuKill” has revealed itself in the wild, capable of tracking down and killing processes for various EDR services. EDR (Endpoint Detection and Response) tools have had great success in recent years at stopping emerging attacks within organizations that use them. In December of 2022, multiple incidents were observed by Sophos, Microsoft, Mandiant, SentinelOne, and others, where threat actors who had gained initial access to victims’ systems were using custom-built drivers to disable various known security products, allowing them to escalate their attack and deploy other malicious tools without detection.

This new tool, “AuKill,” on the other hand, has been seen taking advantage of a legitimate but outdated (and therefore exploitable) driver that is used by Microsoft’s Process Explorer 16.32. Process Explorer is then used to identify and terminate processes related to EDR services. Sophos has identified six different versions of AuKill so far and has noted that newer versions target more EDR processes and services and can continually monitor to ensure they don’t restart. Once systems are left unprotected, various forms of malware have deployed to victims’ environments, including Lockbit ransomware and MedusaLocker ransomware.

For more information on this malware and how it deploys, as well as blockable Indicators of Compromise, please review Sophos’ full analysis: https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/



Reach out to our incident response team for help

More To Explore

Information Security News 5-20-2024

Wichita Cyber Attack: Social Security Numbers, Drivers Licenses, Payment Info Compromised Article Link: https://www.kansas.com/news/politics-government/article288491333.html Cybercriminals Exploiting Microsoft’s Quick Assist Feature in Ransomware Attacks Article Link:

Information Security News 5-13-2024

Dell API Abused to Steal 49 Million Customer Records in Data Breach Article Link: https://www.bleepingcomputer.com/news/security/dell-api-abused-to-steal-49-million-customer-records-in-data-breach/ Healthcare Giant Ascension Hacked, Hospitals Diverting Emergency Service Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.