The attackers employ what they call a previously undocumented “defense evasion tool.” Orchill It is designed to defeat endpoint detection and response (EDR) software with a Bring Your Own Vulnerable Driver (BYOVD) attack.
“The AuKill tool uses older versions of driver Used by version 16.32 of the Microsoft utility. process explorerdisable the EDR process before deploying a backdoor or ransomware on the target system,” says Sophos researcher Andreas Klopsch. Said In a report released last week.
Incidents analyzed by a cybersecurity firm show that since the beginning of 2023, AuKill has been used to deploy various ransomware strains such as Medusa Locker and LockBit. To date, six different versions of his malware have been identified. The oldest AuKill sample has a compile timestamp of November 2022.
BYOVD techniques allow threat actors to exploit legitimate but outdated exploitable drivers signed by Microsoft (or use stolen or leaked certificates) to elevate privileges and turn off security mechanisms. depends on what you do.
A key Windows safeguard known as Driver Signature Enforcement that uses genuine and exploitable drivers to ensure that kernel-mode drivers are signed by a valid code signing authority before they are allowed to run. can be bypassed.
“The AuKill tool requires administrative privileges to function, which the attacker cannot give,” said the Sophos researcher. “Attackers using AuKill took advantage of existing privileges during the attack and gained privileges through other means.”
This isn’t the first time the Microsoft-signed Process Explorer driver has been weaponized in an attack. In November 2022, Sophos also detailed the use of open source tools by his LockBit affiliates. back stub Exploits outdated drivers to terminate protected antimalware processes.
Then, earlier this year, a malvertising campaign was discovered leveraging the same driver to distribute a .NET loader named MalVirt to deploy FormBook information-stealing malware.
it also lasts findings Actors of Play ransomware (aka PlayCrypt) have been found using a custom data collection tool that enumerates all users and computers on a compromised network and allows them to copy files from the Volume Shadow Copy Service It has been (VSS).
Grixba, a .NET-based information stealer, is designed to scan machines for security programs, backup software, and remote administration tools, exfiltrate the collected data in the form of CSV files, and compress them into ZIP archives. I’m here.
Also used by the cybercrime gang tracked by Symantec as Balloonfly is a VSS copy tool written in .NET. AlphaVSS framework List the files and folders in the VSS snapshot and copy them to the destination directory before encryption.
Play ransomware not only uses intermittent encryption Not only to speed up the process, but also due to the fact that it does not operate on a Ransomware as a Service (RaaS) model. indicates that it has been developed.
Grixba and VSS Copying Tool are Exmatter, ex-byteand PowerShell-based scripts that ransomware attackers use to gain more control over their operations while adding an additional layer of complexity to persist in compromised environments and evade detection.
In fact, Cyble reported last week about a new GoLang ransomware called CrossLock. This ransomware employs double extortion techniques to increase the likelihood of payment from victims and takes steps to evade Windows event tracking (ETW).
“This feature allows malware to evade detection by security systems that rely on event logs,” Cyble said. Said“CrossLock ransomware takes several actions to increase the effectiveness of the attack while reducing the chances of data recovery.”