This evil malware disables your security software, then goes in for the kill

ID theft
Image credit: Pixabay (Image credit: Future)

Hackers are using a brand new tool to disable antivirus programs installed on devices, before deploying more dubious malware, and sometimes even ransomware, researchers have warned.

Cybersecurity researchers from Sophos X-Ops recently observed threat actors using the Bring Your Own Vulnerable Driver (BYOVD) method to deploy a tool called AuKill, capable of disabling security programs. 

First, they need to drop a legitimate but vulnerable driver, onto the target endpoint. This is usually done through email-borne attacks, distributing the driver via phishing emails. The driver, capable of running with kernel privileges, is called procexp.sys, and is usually delivered next to the actual one, used by Microsoft’s Process Explorer v16.32 (a legitimate program that collects data on active Windows processes). 

Bring Your Own Vulnerable Driver

Once the legitimate program runs the malicious DLL, it will first check to see if it’s running with SYSTEM privileges, and make sure it does, by posing as the TrustedInstaller Windows Modules Installer. Then, it starts multiple threads, testing and disabling various security processes and services.

After disabling security programs on the computer, AuKill’s operators will deploy stage-two malware. As per Sophos X-Ops’ report, sometimes threat actors will deploy the Medusa Locker, or LockBit - both extremely potent and popular ransomware variants. 

"The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target's protection and deploy the ransomware," the researchers warned. "In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware."

While the tool seems relatively new and was just spotted, one of its variants carries a November 2022 timestamp. The newest version discovered was compiled in mid-February, the researchers conclude. Its code is similar to that of Backstab, an open-source tool also capable of disabling antivirus programs. Researchers have seen LockBit’s operators deploy Backstab in the past. 

"We have found multiple similarities between the open-source tool Backstab and AuKill," the Sophos team says. "Some of these similarities include similar, characteristic debug strings, and nearly identical code flow logic to interact with the driver."

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
This devious macOS malware is evading capture by using Apple's own encryption
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough