Ransomware gangs are abusing an out-of-date Microsoft software driver to disable security defenses before dropping malware into the targeted systems.
The hacking tool, which Sophos X-Ops researchers are calling AuKill, is the latest example in a growing trend where threat gangs either abuse a legitimate commercial driver to get past endpoint detection and response (EDR) software on the systems – the so-called bring-your-own-vulnerable-driver (BYOVD) attack – or work to get a malicious driver digitally signed by a trusted certificate.
Either way, the system is duped into trusting the drivers and letting them in, giving the miscreants access to deploy their malware.
“Last year, the security community reported about multiple incidents where drivers have been weaponized for malicious purposes,” Andreas Klopsch, a threat researcher at Sophos, writes in a report. “The discovery of such a tool confirms our assumption that adversaries continue to weaponize drivers, and we expect even more development in this area the upcoming months.”
AuKill hit the scene in the wake of a rash of cases reported by a number of cybersecurity vendors – not only Sophos, but also SentinelOne, Microsoft, and Google’s Mandiant – where multiple attackers created malicious drivers and then duped Microsoft into signing to give them the veneer of legitimacy. As part of the research, Microsoft suspended various third-party developers of malicious Windows drivers and revoked certificates that were used to sign the drivers.
The AuKill tool, which abuses the outdated 16.32 version of Microsoft’s Process Explorer driver to disable the EDR