Ransomware gangs abuse Process Explorer driver to kill security software

Forum|Forum|2 years ago
April 19, 2023
1 reply
9 views

+54

Jasper_The_Rasper
Moderator

April 19, 2023 By Sergiu Gatlan

Hacker

Threat actors use a new hacking tool dubbed AuKill to disable Endpoint Detection & Response (EDR) Software on targets' systems before deploying backdoors and ransomware in Bring Your Own Vulnerable Driver (BYOVD) attacks.

In such attacks, malicious actors drop legitimate drivers signed with a valid certificate and capable of running with kernel privileges on the victims' devices to disable security solutions and take over the system.

This technique is popular among various threat actors, from state-backed hacking groups to financially-motivated ransomware gangs.

The AuKill malware, first spotted by Sophos X-Ops security researchers, drops a vulnerable Windows driver (procexp.sys) next to the one used by Microsoft's Process Explorer v16.32. This is a very popular and legitimate utility that helps collect information on active Windows processes.

>> Full Article <<

+63

TripleHelix
Moderator
Forum|Forum|2 years ago
April 20, 2023

They will pick on anything and I didn’t see any odd behaviour from Process Explorer v16.32 but I have updated to and still no odd behaviour! https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

Thanks,

Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.

Like

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded