AuKill tool exploits an old version of Process Explorer to disable security solutions and distribute malware

Sophos cybersecurity experts have identified a tool called AuKill that exploits an old version of Process Explorer to disable security solutions and copy backdoors or ransomware in the PC. In particular, Medusa Locker and LockBit were distributed in January and February 2023. The six variants of AuKill in circulation share some code parts with the open-source tool called Backstab, first published in 2021.

The technique used by cybercriminals is known as BYOVD (Bring Your Own Vulnerable Driver): by exploiting a vulnerable but legitimately signed drive, malware is executed with elevated privileges. In this case, the infected driver is PROCEXP.SYS of Microsoft's Process Explorer 16.32, copied to the C:\Windows\System32\drivers directory alongside the legitimate PROCEXP152.SYS .

To obtain elevated privileges, AuKill impersonates TrustedInstaller (Windows module installation service) and obtains SYSTEM privileges. After establishing persistence, malware copies the PROCEXP.SYS driver to disk. This driver is not detected as infected, so it allows disabling security services and processes.

Our take: To defend against this, we suggest to:

• keep your system and your apps updated
• set different profiles in Windows to separate user and admin privileges
• ensure your system can detect and block bad and banned drivers from being installed and/or run
• use a good Anti-Virus and Anti-ransomware