How fiends abuse an out-of-date Microsoft Windows driver to infect victims

It's like those TV movies where a spy cuts a wire and the whole building's security goes out

Ransomware spreaders have built a handy tool that abuses an out-of-date Microsoft Windows driver to disable security defenses before dropping malware into the targeted systems.

This detection evasion utility, which Sophos X-Ops researchers are calling AuKill, is the latest example in a growing trend where miscreants either abuse a legitimate driver to disable, silence or otherwise get past endpoint detection and response (EDR) software on the systems – the so-called bring-your-own-vulnerable-driver (BYOVD) attack – or work to get a malicious driver that does the same digitally signed by a trusted entity and injected onto a victim's computer.

Either way, the victim's PC is duped into trusting a privileged driver, granting an intruder low-level rights and access, which gives them the ability to side step any protections and deploy their malware. And to be clear, AuKill takes the BYOVD approach: it brings onto the PC a vulnerable Microsoft driver to exploit.

"Last year, the security community reported about multiple incidents where drivers have been weaponized for malicious purposes," Andreas Klopsch, a threat researcher at Sophos, wrote in a technical report this month.

"The discovery of such a tool confirms our assumption that adversaries continue to weaponize drivers, and we expect even more development in this area the upcoming months."

AuKill hit the scene in the wake of a rash of cases reported by a number of cybersecurity vendors – not only Sophos, but also SentinelOne, Microsoft, and Google's Mandiant – where multiple attackers created malicious drivers and duped Microsoft into digitally signing the code to give it the veneer of legitimacy. This signed malicious code would then be trusted and allowed to run by Windows. As part of the research, Microsoft suspended various third-party developers of malicious Windows drivers and revoked certificates that were used to sign the drivers.

The AuKill tool, which exploits an outdated 16.32 version of Microsoft's Process Explorer driver to disable EDR processes, was used in at least three ransomware attacks since the start of the year. In two of the incidents – one in January, the other a month later – attackers deployed the Medusa Locker ransomware after AuKill paved the way through the EDR defenses. AuKill brought the bad driver with it to exploit as it infiltrated the victims' networks.

In February, miscreants used AuKill before deploying LockBit.

Sophos notified Microsoft about the abuse of the outdated Process Explorer driver.

This isn't the first time the Process Explorer driver was exploited to enable malware to bypass EDR systems. An open-source anti-malware tool called Backstab, first published in 2021, or a version of it has been used in attacks. In November 2022, a criminal used Backstab to disable EDR processes before delivering LockBit.

Three months later, SentinelOne researchers wrote about MalVirt, a tool that used the same Process Explorer driver.

Drivers make attractive tools for cybercriminals. Though low-level system components, they can access critical security structures in the kernel memory. For security reasons, Windows include a feature called Driver Signature Enforcement, which ensures that kernel-mode drivers have been signed by a valid code-signing authority before Windows lets them run. The signature is seen by the OS verification of the software's identity.

Sophos over the past few months collected six variants of AuKill and found myriad similarities between Backstab and Aukill, including characteristic debug strings and almost identical code flow logic used to interact with the driver.

"Sophos believes the author of AuKill used multiple code snippets from, and built their malware around, the core technique introduced by Backstab," Klopsch writes.

A pile of Microsoft floppy disks

Microsoft realizes it hasn't updated list of banned dodgy Windows 10 drivers in years

READ MORE

AuKill is designed to both abuse a legitimate but outdated driver while also getting Microsoft to digitally sign it. It drops the older driver into the system's Windows OS, where it can sit with the newer Process Explorer driver already in the system. Both are present and signed by Microsoft.

Once executed, AuKill determines that it has admin privileges, which it needs to operate. It also requires that the attacker runs the file with a keyword or password. It will shut down if either requirement is not met.

"The AuKill tool requires administrative privileges to work, but it cannot give the attacker those privileges," writes Klopsch at Sohpos. "The threat actors using AuKill took advantage of existing privileges during the attacks, when they gained them through other means."

It then disables or terminates various components in the EDR processes and drops the malware used to infect the system.

To defend against this, ensure your environment can detect and block bad and banned drivers from being installed and/or run. Microsoft has some notes about that here. ®

More about

TIP US OFF

Send us news


Other stories you might like