Aukill

Malware updated a month ago (2024-10-17T12:01:06.807Z)

Download STIX

Preview STIX

AuKill, a malicious software (malware) developed by the notorious cybercrime collective FIN7, has been identified as a significant threat to endpoint security. The malware was designed to exploit a vulnerable version of a driver for Microsoft's Process Explorer utility, thereby disabling endpoint protection products. This tool was first reported in April 2023 when it was used in multiple attacks attempting to deploy Medusa Locker and LockBit ransomware. AuKill, also known as AvNeutralizer, was exclusively used by a single group for six months, targeting various endpoint security solutions. The development of AuKill began in April 2022 by FIN7, a largely Russian-Ukrainian operation that has been carrying out financially motivated cyber campaigns across industries since 2012. This tool has the ability to bypass security solutions, and its new feature specifically targets the protected processes run by Endpoint Detection and Response (EDR) solutions. In July 2023, Sophos behavioral rules were triggered by activity from a driver for another company's security product, indicating that sometimes vulnerable drivers can be detected before exploitation. In recent times, AuKill has seen a surge in usage and is becoming increasingly popular among high-level ransomware groups. It was discovered being sold commercially on the Dark Web by Sophos X-Ops, indicating its widespread availability to cybercriminals. A report from SentinelOne further highlights the growing prevalence of AuKill, underscoring the need for continued vigilance and proactive measures to counter this evolving threat.

Description last updated: 2024-10-17T11:57:59.711Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Tool

Malware

Ransomware

Cybercrime

Sophos

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Aukill. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	2
The Locker Ransomware Malware is associated with Aukill. Locker ransomware, a type of malware, poses significant risks to computer systems and data. Unlike crypto-ransomware which encrypts user data, locker ransomware locks users out of their devices entirely, demanding a ransom payment to restore access without any data encryption. This threat has evolve	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Medusa Threat Actor is associated with Aukill. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerou	Unspecified	2
The FIN7 Threat Actor is associated with Aukill. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Aukill Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	3 months ago	RansomHub Rolls Out Brand-New, EDR-Killing BYOVD Binary
Securityaffairs	4 months ago	FIN7 group advertises new EDR bypass tool on hacking forums
Securityaffairs	4 months ago	FIN7 group advertises new EDR bypass tool on hacking forums
DARKReading	4 months ago	Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes
CERT-EU	8 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	8 months ago	Cybercrime on Main Street – Sophos News \| #cybercrime \| #computerhacker - Am I Hacker Proof
CERT-EU	a year ago	Stories from the SOC – Unveiling the stealthy tactics of Aukill malware \| IT Security News
CERT-EU	a year ago	Stories from the SOC - Unveiling the stealthy tactics of Aukill malware - Cybersecurity Insiders
DARKReading	2 years ago	'AuKill' Malware Hunts & Kills EDR Processes
CERT-EU	2 years ago	AuKill - A Malware That Kills EDR Clients To Attack Windows Systems
CERT-EU	2 years ago	Flaw in Microsoft Process Explorer under active attack
Securityaffairs	2 years ago	AuKill tool uses BYOVD attack to disable EDR software
CERT-EU	2 years ago	Crooks abuse Microsoft Windows driver to infect victims
CERT-EU	2 years ago	Cyber Security Today, April 26, 2023 – New reports on ransomware and cyber attacks \| IT World Canada News
CERT-EU	2 years ago	AuKill Malware Actively Used To Disable EDR In Ongoing Attacks \| IT Security News
CERT-EU	2 years ago	Ransomware Attacks Increasingly Using AuKill Malware to Disable EDR – Gridinsoft Blogs \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware – National Cyber Security Consulting