Project Hyphae

“AuKill” Malware Being Used To Kill EDR Processes Before Deploying Ransomware

Share This Post

A new cybercrime tool called “AuKill” has revealed itself in the wild, capable of tracking down and killing processes for various EDR services. EDR (Endpoint Detection and Response) tools have had great success in recent years at stopping emerging attacks within organizations that use them. In December of 2022, multiple incidents were observed by Sophos, Microsoft, Mandiant, SentinelOne, and others, where threat actors who had gained initial access to victims’ systems were using custom-built drivers to disable various known security products, allowing them to escalate their attack and deploy other malicious tools without detection.

This new tool, “AuKill,” on the other hand, has been seen taking advantage of a legitimate but outdated (and therefore exploitable) driver that is used by Microsoft’s Process Explorer 16.32. Process Explorer is then used to identify and terminate processes related to EDR services. Sophos has identified six different versions of AuKill so far and has noted that newer versions target more EDR processes and services and can continually monitor to ensure they don’t restart. Once systems are left unprotected, various forms of malware have deployed to victims’ environments, including Lockbit ransomware and MedusaLocker ransomware.

For more information on this malware and how it deploys, as well as blockable Indicators of Compromise, please review Sophos’ full analysis:

More To Explore

Information Security News 6-5-2023

‘Picture-in-Picture’ Obfuscation Spoofs Delta, Kohl’s for Credential Harvesting Article Link: NSA and FBI: Kimsuky Hackers Pose as Journalists to Steal Intel Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.