Avneutralizer

AvNeutralizer, also known as AuKill, is a sophisticated malware developed by the group FIN7 to bypass and disable endpoint security solutions. The malware uses various techniques including leveraging the Windows driver ProcLaunchMon.sys to interfere with and evade security measures. SentinelLabs researchers discovered this novel technique in a new version of AvNeutralizer, which further highlights its advanced capabilities. In addition to this, AvNeutralizer uses multiple drivers and operations to trigger a denial of service (DoS) condition in protected processes. The investigation conducted by cybersecurity firm revealed that AvNeutralizer targeted multiple endpoint security solutions and was used exclusively by a single group for six months. Starting in January 2023, however, experts observed the use of updated versions of AvNeutralizer by multiple ransomware groups. This suggested that the tool had been offered to multiple threat actors on underground forums, expanding its reach and potential damage. On March 28, 2023, an individual named "Stupor" advertised an AV killer tool for $10,000 on xss[.]is, which was identified as an updated version of AvNeutralizer. This development indicates a growing market for such malicious tools and underscores the need for continuous evolution and vigilance in cybersecurity measures. The unpacked AvNeutralizer payload employs ten different techniques to tamper with system security solutions, demonstrating its complexity and the high level of threat it poses.