Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes

A widespread cybercrime tool designed to tamper with security solutions has been upgraded, with a new method for killing the protected Windows processes that endpoint detection and response (EDR) tools rely on.

"AuKill," developed by the notorious FIN7 cybercrime collective (aka Carbanak, Carbon Spider, Cobalt Group, Navigator Group), is a program specifically designed to undermine endpoint security. It employs more than 10 different user and kernel mode techniques to that end, like sandboxing protected processes and leveraging fundamental Windows APIs like Restart Manager and Service Control Manager.

A new report from SentinelOne describes how AuKill is becoming increasingly popular among cybercrime actors, particularly high-level ransomware groups. And to keep it one step ahead of defenders, FIN7 has iterated on it with a new technique for throwing certain protected processes into a denial-of-service (DoS) condition.

Born to AuKill

FIN7, a largely Russian-Ukrainian operation, was carrying out financially motivated cyber campaigns across industries as far back as 2012. At the time, its specialty was point-of-sale (PoS) malware, then a trend.

As cybercrime moved from credit card theft to ransomware, FIN7 moved with it. It launched its own ransomware-as-a-service (RaaS) projects: first Darkside and then, after its run-ins with Uncle Sam, BlackMatter. It also began to affiliate with other major ransomware groups, like the leading Conti and REvil.

In April 2022, FIN7 began development on the anti-security tool now known as AuKill. Using various pseudonyms, it began to market the program on cybercrime forums for prices ranging from $4,000 to $15,000.

The first actor known to use it in the wild was Black Basta, in June 2022. Around the turn of 2023, threat actors across the ransomware spectrum began to follow suit. SentinelOne has observed it in attacks alongside payloads like AvosLocker, BlackCat, and LockBit, for example. 

The New Technique

Whenever a new malware tool begins to attract attention, it risks losing its initial effectiveness as defenders start to adjust. To keep it going, then, authors need to modify and build out new features.

AuKill's new feature targets the protected processes run by EDR solutions. Its weapons: the default time-travel debugging (TTD) monitor Windows driver — used for monitoring TTD processes — in tandem with an updated version of the Process Explorer driver.

In short, the malware uses the former driver to watch for protected Windows processes it wants to attack and, if they pop up, suspends them. When the protected process then tries to spin up non-protected helper (child) processes, the latter driver blocks those. With the drivers blocking parent and child, a crash ensues.

"Organizations should ensure that anti-tampering protection mechanisms are enabled in their security solutions deployed on enterprise devices," says Antonio Cocomazzi, staff offensive security researcher at SentinelOne.

"For this particular technique," he adds, "organizations should ensure that their security software's anti-tampering protections are robust enough to defend against kernel-mode attacks, such as those exploiting the Process Explorer driver. Implementing additional security measures, like kernel-level monitoring and restricting driver access, can further enhance protection against these advanced threats."