Tales from the SOC – Unveiling the stealthy ways of Aukill malware

Government abstract

On April twenty first, 2023, AT&T Managed Prolonged Detection and Response (MXDR) investigated an tried ransomware assault on considered one of our shoppers, a house enchancment enterprise. The investigation revealed the attacker used AuKill malware on the shopper’s print server to disable the server’s put in EDR resolution, SentinelOne, by brute forcing an administrator account and downgrading a driver to a weak model.

AuKill, first recognized by Sophos X-Ops researchers in June 2021, is a classy malware designed to focus on and neutralize particular EDR options, together with SentinelOne and Sophos. Distributed as a dropper, AuKill drops a weak driver named PROCEXP.SYS (from Course of Explorer launch model 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been noticed within the wild, utilized by ransomware teams to bypass endpoint safety measures and successfully unfold ransomware variants similar to Medusa Locker and Lockbit on weak techniques.

On this case, SentinelOne managed to isolate many of the malicious recordsdata earlier than being disabled, stopping a full-scale ransomware incident. Consequently, AT&T MXDR discovered no proof of information exfiltration or encryption. Regardless of this, the shopper opted to rebuild the print server as a precautionary measure. This research offers an in-depth evaluation of the assault and provides suggestions to mitigate the chance of future assaults.

Investigating the primary section of the assault

Preliminary intrusion

The focused asset was the print server, which we discovered uncommon. Nonetheless, upon additional investigation we concluded the attacker misidentified the asset as a Area Controller (DC), because it had lately been repurposed from a DC to a print server. The attacker wanted each native administrator credentials and kernel-level entry to efficiently run AuKill and disable SentinelOne on the asset. To realize these native administrator credentials, the attacker efficiently brute-forced an administrator account. Shortly after the compromise, this account was noticed making unauthorized registry adjustments.

Establishing a beachhead

After compromising the native administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging space for subsequent phases of their assault. All AuKill-related binaries and scripts have been executed from this path, with the innocuous “Music” folder identify serving to to hide their malicious actions.

AuKill malware has been discovered to function utilizing two Home windows providers named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In different variants, it targets totally different EDRs, similar to Sophos, by using corresponding Home windows providers like “aSophos.exe” and “aSophosX.exe”. 

Establishing persistence

We additionally found “aSentinel.exe” working from “C:Windowssystem32”, indicating that the attackers tried to ascertain a foothold on the compromised server. Malware authors steadily goal the system32 folder as a result of it’s a trusted location, and safety software program could not scrutinize recordsdata inside it as carefully as these in different places. This will help malware bypass safety measures and stay hidden. It’s probably that the malware was initially positioned within the “UsersAdministratorMusicaSentinel” listing and later copied to the system32 listing for persistence.

Community reconnaissance

Our investigation additionally revealed that PCHunter, a publicly accessible utility beforehand exploited in ransomware incidents like Dharma, was working from the “UsersAdministratorMusicaSentinel” listing. This means that the attackers used PCHunter as a reconnaissance instrument to survey the shopper’s community earlier than deploying the EDR killer malware. Moreover, PCHunter allows menace actors to terminate packages and interface immediately with the Home windows kernel, which aligns with the wants of the attacker. We noticed PCHunter producing a number of randomly named .sys recordsdata, as illustrated beneath:

Stopping knowledge restoration

We discovered that the attacker deleted shadow quantity copies from the print server. Home windows creates these copies to revive recordsdata and folders to earlier variations in case of information loss. By eradicating the shadow copies, the attacker was making an attempt to make it tougher for our shopper to recuperate their recordsdata in the event that they have been efficiently encrypted. Though no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This info, along with the utilization of PCHunter and the staging of the EDR killer malware, paints a extra full image of the attacker’s goals and ways.

Bypassing native Home windows safety

With all these items in place, the attacker final wanted to accumulate kernel-level entry. Regardless of gaining administrator rights early on, the attacker didn’t have sufficient management over the system to kill SentinelOne right now. EDR options are categorized as important by Home windows and are shielded from being turned off by attackers once they escalate privileges. To efficiently circumvent these safeguards, the attacker would want to journey one stage deeper into the working system and achieve kernel-level entry to the machine.

Investigating the second section of the assault

Dropping the weak driver

Our staff found that AuKill had changed the present Course of Explorer driver, PROCEXP152.sys, with an outdated and weak model named PROCEXP.SYS (from Course of Explorer launch model 16.32), situated within the C:WindowsSystem32drivers listing. The alarm screenshot beneath demonstrates how AuKill swapped the present driver with this older model, making the system prone to additional exploitation.

Home windows incorporates a safety function known as Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a sound code signing authority earlier than they’ll run. To bypass this safety measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated within the SentinelOne screenshot beneath, the motive force is signed and verified by Microsoft. Moreover, the originating course of was aSentinel.exe, an executable created to disable SentinelOne.

Buying kernel-level entry

Course of Explorer, a official system monitoring instrument developed by Microsoft’s Sysinternals staff, allows directors to look at and handle functions’ ongoing processes, in addition to their related threads, handles, and DLLs.

Upon startup, Course of Explorer masses a signed kernel-mode driver, facilitating interplay with the system’s kernel, which is liable for managing {hardware} and assets. Usually, that driver is PROCEXP152.sys. The attacker changed the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, using what is called a BYOVD (Convey Your Personal Susceptible Driver) assault. The attacker used this technique to use the now weak kernel mode driver to realize the kernel-level entry they wanted to efficiently kill SentinelOne.

Killing SentinelOne

The kernel-mode driver utilized by Course of Explorer has the distinctive capability to terminate handles which can be inaccessible even to directors. A deal with is an identifier that corresponds to a particular useful resource opened by a course of, similar to a file or a registry key. At this level, AuKill hijacked Course of Explorer’s kernel driver to particularly goal protected handles related to SentinelOne processes working on the print server. The SentinelOne processes have been killed when the protected course of handles have been closed, rendering the EDR powerless. AuKill then generated a number of threads to make sure that these EDR processes remained disabled and didn’t resume. Every thread focused on a sure SentinelOne part and commonly checked to see if the focused processes have been lively. In the event that they have been, AuKill would terminate them. SentinelOne was out of the way in which and not an impediment to the attacker.

Response

Buyer interplay

At this level, the attacker had gained privileged entry to the asset, deployed their malware, and efficiently killed the endpoint safety resolution, SentinelOne. Based mostly on the Cyber Kill Chain methodology developed by Lockheed Martin, we are able to conclude that the attacker had now efficiently reached the “Command and Management” stage. Nonetheless, the attacker didn’t attain the “Actions on Goals” stage, as SentinelOne managed to disrupt ransomware deployment sufficient earlier than it was killed to stop any extra injury.

Any makes an attempt to re-deploy malware or transfer laterally following the disablement of the EDR have been thwarted by our staff, who swiftly alerted the shopper to the exercise and suggested that the asset be taken offline and remoted from the remainder of the community. Our staff knowledgeable the shopper that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our menace hunters completely evaluate their surroundings, w e reassured the shopper that no delicate info was exfiltrated or encrypted. In response to the assault, the shopper moved to rebuild their print server and reinstall SentinelOne.

Suggestions

As BYOVD assaults to bypass EDR software program turn out to be extra widespread, we strongly advise blacklisting outdated drivers with a identified historical past of exploitation. Moreover, we encourage our shoppers to keep up a list of the drivers put in on their techniques, making certain they continue to be present and safe. Lastly, we suggest bolstering the safety of administrator accounts to defend in opposition to brute drive assaults, because the incident detailed on this weblog submit couldn’t have transpired with out the preliminary privileged person compromise.