A recent upgrade to a widespread cybercrime tool known as “AuKill” has raised concerns among security experts. Developed by the infamous FIN7 cybercrime collective, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, AuKill is specifically designed to undermine endpoint security solutions. This tool utilizes over 10 different user and kernel mode techniques, including sandboxing protected processes and leveraging fundamental Windows APIs such as Restart Manager and Service Control Manager.
According to a new report from SentinelOne, AuKill is gaining popularity among cybercrime actors, especially high-level ransomware groups. To stay ahead of defenders, FIN7 has introduced a new technique that disrupts certain protected processes, putting them into a denial-of-service (DoS) condition.
FIN7, a primarily Russian-Ukrainian operation, has been involved in financially motivated cyber campaigns since 2012. Initially focused on point-of-sale (PoS) malware during the trend of credit card theft, FIN7 adapted as cybercrime evolved towards ransomware attacks. The group launched its own ransomware-as-a-service (RaaS) projects, starting with Darkside and later transitioning to BlackMatter after encountering legal issues. Additionally, FIN7 collaborated with other major ransomware groups like Conti and REvil.
In April 2022, FIN7 began developing AuKill and marketed it under various pseudonyms on cybercrime forums for prices ranging from $4,000 to $15,000. The first identified usage of AuKill in the wild occurred in June 2022 by a threat actor named Black Basta. Since the beginning of 2023, various ransomware groups have incorporated AuKill into their attacks along with payloads like AvosLocker, BlackCat, and LockBit.
The latest enhancement to AuKill involves targeting the protected processes managed by EDR solutions. This new feature utilizes the default time-travel debugging (TTD) monitor Windows driver and an updated version of the Process Explorer driver. The malware monitors protected processes and suspends them, subsequently blocking non-protected helper processes from starting, resulting in system crashes.
Security experts advise organizations to enable anti-tampering protection mechanisms in their security solutions deployed on enterprise devices. Antonio Cocomazzi, a staff offensive security researcher at SentinelOne, recommends robust anti-tampering protections in security software to defend against kernel-mode attacks like those exploiting the Process Explorer driver. Implementing additional security measures such as kernel-level monitoring and restricting driver access can enhance protection against advanced threats.
As cybercriminals continue to innovate and refine their tactics, cybersecurity professionals must remain vigilant and proactive in implementing effective security measures to safeguard against evolving threats like AuKill and other malicious tools developed by threat actors.