This evil malware disables your security software, then goes in for the kill
Date:
Thu, 20 Apr 2023 16:55:26 +0000
Description:
AuKill tool is being used by ransomware operators, researchers warn.
FULL STORY ======================================================================
Hackers are using a brand new tool to disable antivirus programs installed on devices, before deploying more dubious malware , and sometimes even
ransomware , researchers have warned.
Cybersecurity researchers from Sophos X-Ops recently observed threat actors using the Bring Your Own Vulnerable Driver (BYOVD) method to deploy a tool called AuKill, capable of disabling security programs.
First, they need to drop a legitimate but vulnerable driver, onto the target endpoint. This is usually done through email-borne attacks, distributing the driver via phishing emails. The driver, capable of running with kernel privileges, is called procexp.sys, and is usually delivered next to the
actual one, used by Microsofts Process Explorer v16.32 (a legitimate program that collects data on active Windows processes). Bring Your Own Vulnerable Driver
Once the legitimate program runs the malicious DLL, it will first check to
see if its running with SYSTEM privileges, and make sure it does, by posing
as the TrustedInstaller Windows Modules Installer. Then, it starts multiple threads, testing and disabling various security processes and services.
After disabling security programs on the computer, AuKills operators will deploy stage-two malware. As per Sophos X-Ops report, sometimes threat actors will deploy the Medusa Locker, or LockBit - both extremely potent and popular ransomware variants. Read more
You're a ransomware victim: Here's 5 things you should do
What is ransomware and how does it work?
Check out the best endpoint protection tools now
"The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target's protection and deploy the ransomware," the researchers warned. "In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware."
While the tool seems relatively new and was just spotted, one of its variants carries a November 2022 timestamp. The newest version discovered was compiled in mid-February, the researchers conclude. Its code is similar to that of Backstab, an open-source tool also capable of disabling antivirus programs. Researchers have seen LockBits operators deploy Backstab in the past.
"We have found multiple similarities between the open-source tool Backstab
and AuKill," the Sophos team says. "Some of these similarities include similar, characteristic debug strings, and nearly identical code flow logic
to interact with the driver." Here's our list of the best firewalls right now
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/this-evil-malware-disables-your-security-softwa re-then-goes-in-for-the-kill
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)