Overview – Malware Targets EDR & MDR Software
EDR and MDR tools have become a massive part of detecting, responding to, and monitoring cyber threats and stopping attacks. Endpoint Detection & Response (EDR) and Managed Detection & Response (MDR) are tools deployed on a device to protect a particular endpoint and provide security monitoring and management across an organization’s entire IT environment.
New AuKill Malware
However, recently threat actors have been using a new hacking tool called AuKill which can disable the EDR software on a target’s system before deploying any backdoors or ransomware. This process occurs in Bring Your Own Vulnerable Driver (BYOVD) attacks. Within these attacks, the malicious actors release legitimate drivers signed with a valid certificate capable of running kernel privileges on the victim’s device. This disables the security EDR solution and takes over the system. This type of attack ranges from all kinds of threat actors, ranging from state-backed hacking groups to ransomware groups motivated by money.
How AuKill Malware Disables Security Software
Sophos X-Ops security was the one who discovered the AuKill malware. They found that AuKill drops a vulnerable Windows driver (procexp.sys) next to the one used by Microsoft’s Process Explorer v16.32. This common and legitimate utility can collect information on active Windows processes. Then, it moves to disable the EDR software. To do this, AuKill starts several threads to check and disable the security services and prevent them from restarting to avoid detection. See the articles below for more information on the exact processes AuKill takes to stop an EDR solution.
While there are no set remediations at the moment, the following can help protect against a future attack:
- Firstly, if you have an EDR security service in place, it is recommended to enable tamper protection for this agent to prevent any unwanted processes related to its ability to run.
- Also, ensure the separation of users and admin privileges is in place to prevent privilege escalation attacks.
- Stay up to date on patches, maintaining the latest version of a device, applications, and tools within the system.
- Maintain vulnerability management within your environment to detect any flaws.
Sources
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/