Skip links

If you haven’t patched Microsoft Process Explorer, prepare to get pwned

Ransomware gangs are abusing an out-of-date Microsoft software driver to disable security defenses before dropping malware into the targeted systems.

The hacking tool, which Sophos X-Ops researchers are calling AuKill, is the latest example in a growing trend where threat gangs either abuse a legitimate commercial driver to get past endpoint detection and response (EDR) software on the systems – the so-called bring-your-own-vulnerable-driver (BYOVD) attack – or work to get a malicious driver digitally signed by a trusted certificate.

Either way, the system is duped into trusting the drivers and letting them in, giving the miscreants access to deploy their malware.

“Last year, the security community reported about multiple incidents where drivers have been weaponized for malicious purposes,” Andreas Klopsch, a threat researcher at Sophos, writes in a report. “The discovery of such a tool confirms our assumption that adversaries continue to weaponize drivers, and we expect even more development in this area the upcoming months.”

AuKill hit the scene in the wake of a rash of cases reported by a number of cybersecurity vendors – not only Sophos, but also SentinelOne, Microsoft, and Google’s Mandiant – where multiple attackers created malicious drivers and then duped Microsoft into signing to give them the veneer of legitimacy. As part of the research, Microsoft suspended various third-party developers of malicious Windows drivers and revoked certificates that were used to sign the drivers.

The AuKill tool, which abuses the outdated 16.32 version of Microsoft’s Process Explorer driver to disable the EDR processes, was used in at least three ransomware attacks since the start of the year. In two of the incidents – one in January, the other a month later – attackers deployed the Medusa Locker ransomware after AuKill paved the way through the EDR defenses.

In February, miscreants used AuKill before deploying LockBit.

Sophos notified Microsoft about the abuse of the outdated Process Explorer driver.

This isn’t the first time the Process Explorer driver was exploited to enable malware to bypass EDR systems. An open-source anti-malware tool called Backstab, first published in 2021, or a version of it has been used in attacks. In November 2022, a criminal used Backstab to disable EDR processes before delivering LockBit.

Three months later, SentinelOne researchers wrote about MalVirt, a tool that used the same Process Explorer driver.

Drivers make attractive tools for cybercriminals. Though low-level system components, they can access critical security structures in the kernel memory. For security reasons, Windows include a feature called Driver Signature Enforcement, which ensures that kernel-mode drivers have been signed by a valid code-signing authority before Windows lets them run. The signature is seen by the OS verification of the software’s identity.

Sophos over the past few months collected six variants of AuKill and found myriad similarities between Backstab and Aukill, including characteristic debug strings and almost identical code flow logic used to interact with the driver.

“Sophos believes the author of AuKill used multiple code snippets from, and built their malware around, the core technique introduced by Backstab,” Klopsch writes.

AuKill is designed to both abuse a legitimate but outdated driver while also getting Microsoft to digitally sign it. It drops the older driver into the system’s Windows OS, where it can sit with the newer Process Explorer driver already in the system. Both are present and signed by Microsoft.

Once executed, AuKill determines that it has admin privileges, which it needs to operate. It also requires that the attacker runs the file with a keyword or password. It will shut down if either requirement is not met.

“The AuKill tool requires administrative privileges to work, but it cannot give the attacker those privileges,” writes Klopsch at Sohpos. “The threat actors using AuKill took advantage of existing privileges during the attacks, when they gained them through other means.”

It then disables or terminates various components in the EDR processes and drops the malware used to infect the system. ®