Born to AuKill
FIN7, a largely Russian-Ukrainian operation, has been involved in financially motivated cyber campaigns across various industries since 2012. Initially focusing on point-of-sale (PoS) malware, the group shifted its attention to ransomware as the cybercrime landscape evolved. Launching ransomware-as-a-service (RaaS) projects such as Darkside and BlackMatter, FIN7 also formed partnerships with other prominent ransomware groups like Conti and REvil.
In April 2022, FIN7 began developing AuKill, an anti-security tool designed to undermine endpoint security. Marketed under various aliases on cybercrime forums, AuKill was priced between ,000 and ,000. Black Basta was the first known actor to use AuKill in the wild in June 2022, with other ransomware groups adopting the tool in their attacks by early 2023. SentinelOne has observed AuKill being used alongside ransomware payloads like AvosLocker, BlackCat, and LockBit.
The New Technique
As any new malware tool gains attention, it risks losing its effectiveness as defenders adapt to counter it. To stay ahead, authors must continuously update and enhance their tools. AuKill’s latest feature targets the protected processes monitored by EDR solutions using the default time-travel debugging (TTD) monitor Windows driver and an updated version of the Process Explorer driver.
By leveraging these drivers, AuKill identifies and suspends protected Windows processes, preventing them from spawning non-protected helper processes. This action leads to a crash, disrupting the targeted system. Antonio Cocomazzi, a staff offensive security researcher at SentinelOne, advises organizations to strengthen their security solutions with anti-tampering protections to defend against kernel-mode attacks like those exploiting the Process Explorer driver. Implementing additional security measures, such as kernel-level monitoring and driver access restrictions, can further enhance protection against advanced threats.
