Threat groups are abusing a signed but outdated version of the driver from Microsoft’s Process Explorer utility in order to disable endpoint security software, before they deploy ransomware on already compromised systems.
The newly discovered defense evasion tool, AuKill, has been utilized in at least three ransomware attacks since the start of the year, including a Medusa Locker ransomware attack in January and February and a LockBit ransomware attack in February. Researchers with Sophos found six different versions of AuKill dating back to last year.
“Disabling EDR clients using drivers, whether they are legitimate and abused for malicious purposes (BYOVD), or signed by a stolen/leaked certificate, continues to be popular among adversaries who want to disable defense mechanisms,” said Andreas Klopsch, threat researcher with Sophos, in an analysis this week.
Drivers can access critical security components in kernel memory, so as a security measure Windows uses a process called Driver Signature Enforcement to ensure that only signed drivers can load onto user systems. Attackers have used various methods to bypass this protection, including leveraging malicious drivers signed by a previously stolen certificate, or drivers that are legitimate - created by and signed by Microsoft - but out of date.
The threat actors utilizing AuKill relied on the latter tactic, using an outdated, exploitable version of Process Explorer. Process Explorer is part of Microsoft’s Windows Sysinternals administration toolset and shows data on what handles or DLLs processes have been loaded. Sophos has informed Microsoft about the incidents leveraging the outdated Process Explorer driver.
“AuKill drops a driver named PROCEXP.SYS (from the release version 16.32 of process Explorer) into the C:\Windows\System32\drivers path,” said Klopsch. “The legitimate Process Explorer driver is named PROCEXP152.sys, and normally is found in the same location. Both drivers can be present on a machine that has a copy of Process Explorer running. The AuKill installer also drops an executable copy of itself to either the System32 or the TEMP directory, which it runs as a service.”
Notably, the AuKill tool requires existing administrative privileges to work, and researchers said it’s likely that the ransomware actors using the tool previously accessed these privileges, through other means, before launching the malware.
After being executed, AuKill makes sure it has administrative privileges, and if not it attempts to gain SYSTEM privileges by impersonating the “TrustedInstaller.exe” service. AuKill also starts several threads targeting different components to make sure that endpoint detection and response processes stay disabled.
Klopsch said that driver-based attacks against security products are on the rise, with several of these attacks previously abusing vulnerable Process Explorer drivers. Last year, for instance, the Backstab utility was observed using outdated versions of this driver in a LockBit ransomware attack, and in February MalVirt loaders also relied on Process Explorer drivers in malvertising attacks.
“Last year, the security community reported about multiple incidents, where drivers have been weaponized for malicious purposes,” said Klopsch. “The discovery of such a tool confirms our assumption that adversaries continue to weaponize drivers, and we expect even more development in this area [in] the upcoming months.”