Menu Close

[ Intelligence ] (TLP:CLEAR) Newly Discovered AuKill Malware Uses Process Explorer to Disable Security Endpoints

Hello Ruben,

 

It seems like the exploit is against an earlier version of the Process Explorer driver so the vulnerability being exploited may already be patched, but that doesn’t actually help. The malware is itself installing the vulnerable driver additionally and then leveraging the vulnerability. The current version is v17.04 but one of the articles says it’s v16.32 that is vulnerable. But since the earlier version of the driver was signed as legit, Windows won’t reject it. At least that’s my read of it.

 

If anyone has a fuller understanding, by all means, please enlighten us.

 

Best,

Robert  

 

From: Ruben Caldwell <caldwell@law.cuny.edu&gt;
Sent: Monday, April 24, 2023 10:51 AM
To: CUNY-INFOSEC-ANNC@LISTSERV.CUNY.EDU; Robert Berlinger <robert.berlinger@CUNY.EDU&gt;
Subject: Re: [ Intelligence ] (TLP:CLEAR) Newly Discovered AuKill Malware Uses Process Explorer to Disable Security Endpoints

 

All,

       from what I can determine from an online search, Process Explorer was “a freeware task manager and system monitor for MS Windows created by SysInternals”.  It seems to have purchased by MS and rebranded as “Windows Sysinternals”.   However, it does not seem to be installed in currently supported MS OSes by default.  It would appear that the Sysinternals Suite has to be intentionally installed on a system at this point.

      I take it that we are standing by to hear from MS as to whether or not there is a patch release to be expected.  Has anyone heard anything as yet on this from MS?

Ruben Caldwell

CUNY School of Law

IT Dept.

 

From: CUNY Information Security Announcements <CUNY-INFOSEC-ANNC@LISTSERV.CUNY.EDU> on behalf of Robert Berlinger <robert.berlinger@CUNY.EDU>
Sent: Friday, April 21, 2023 10:46 AM
To: CUNY-INFOSEC-ANNC@LISTSERV.CUNY.EDU
Subject: [ Intelligence ] (TLP:CLEAR) Newly Discovered AuKill Malware Uses Process Explorer to Disable Security Endpoints

 

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/

Summary: A newly discovered malware, AuKill, used the Process Explorer driver to disable Endpoint and Detection Response (EDR) systems, according to a Sophos report (weblink below) on April 19, 2023. Sophos has detected 6 AuKill malware samples in recent months, with the earliest sample detected in November of 2022. Additionally, Sophos observed overlapping behaviors between an open-source anti-malware tool Backstab, and AuKill, including debug strings and the source code logic to communicate with the driver. The timestamps of the maliciously signed driver PROCEXP152.sys revealed that threat actors compiled it on November 13, 2022. Sophos observed live exploitation of AuKill versions 1 to 6 between January 18, 2023 and February 14, 2023.

Sophos Report: hxxps://news.sophos[.]com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/

NYSIC CAU Analyst Note: Threat actors used Process Explorer to deploy follow-on ransomware payloads, such as MedusaLocker and LockBit Ransomware. AuKill deployed an additional driver PROCEXP[.]SYS to the C[:]\Windows\System32\drivers path. AuKill also checks if the target system has administrative rights when running, as administrative privileges are required before running the tool. According to Sophos, attackers need to run the startkey to then validate the malicious password-protected file.

Sources:
hxxps://www.darkreading[.]com/attacks-breaches/aukill-malware-hunts-kills-edr-processes
hxxps://www.scmagazine[.]com/brief/ransomware/new-aukill-hacking-tool-gaining-traction-among-threat-actors
hxxps://www.bleepingcomputer[.]com/news/security/ransomware-gangs-abuse-process-explorer-driver-to-kill-security-software/

This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector

For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, 
TLP:CLEAR information may be shared without restriction.