TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: A newly discovered malware, AuKill, used the Process Explorer driver to disable Endpoint and Detection Response (EDR) systems, according to a Sophos report (weblink below) on April 19, 2023. Sophos has detected 6 AuKill malware samples in recent months, with the earliest sample detected in November of 2022. Additionally, Sophos observed overlapping behaviors between an open-source anti-malware tool Backstab, and AuKill, including debug strings and the source code logic to communicate with the driver. The timestamps of the maliciously signed driver PROCEXP152.sys revealed that threat actors compiled it on November 13, 2022. Sophos observed live exploitation of AuKill versions 1 to 6 between January 18, 2023 and February 14, 2023.
Sophos Report: hxxps://news.sophos[.]com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
NYSIC CAU Analyst Note: Threat actors used Process Explorer to deploy follow-on ransomware payloads, such as MedusaLocker and LockBit Ransomware. AuKill deployed an additional driver PROCEXP[.]SYS to the C[:]\Windows\System32\drivers path. AuKill also checks if the target system has administrative rights when running, as administrative privileges are required before running the tool. According to Sophos, attackers need to run the startkey to then validate the malicious password-protected file.
Sources:
hxxps://www.darkreading[.]com/attacks-breaches/aukill-malware-hunts-kills-edr-processes
hxxps://www.scmagazine[.]com/brief/ransomware/new-aukill-hacking-tool-gaining-traction-among-threat-actors
hxxps://www.bleepingcomputer[.]com/news/security/ransomware-gangs-abuse-process-explorer-driver-to-kill-security-software/
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:CLEAR information may be shared without restriction.
