7.9 C
New York
Thursday, April 18, 2024

Tales from the SOC – Unveiling the stealthy techniques of Aukill malware


Govt summaryf

On April twenty first, 2023, AT&T Managed Prolonged Detection and Response (MXDR) investigated an tried ransomware assault on one in all our shoppers, a house enchancment enterprise. The investigation revealed the attacker used AuKill malware on the shopper’s print server to disable the server’s put in EDR answer, SentinelOne, by brute forcing an administrator account and downgrading a driver to a susceptible model.

AuKill, first recognized by Sophos X-Ops researchers in June 2021, is a classy malware designed to focus on and neutralize particular EDR options, together with SentinelOne and Sophos. Distributed as a dropper, AuKill drops a susceptible driver named PROCEXP.SYS (from Course of Explorer launch model 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been noticed within the wild, utilized by ransomware teams to bypass endpoint safety measures and successfully unfold ransomware variants equivalent to Medusa Locker and Lockbit on susceptible methods.

On this case, SentinelOne managed to isolate many of the malicious information earlier than being disabled, stopping a full-scale ransomware incident. Because of this, AT&T MXDR discovered no proof of information exfiltration or encryption. Regardless of this, the shopper opted to rebuild the print server as a precautionary measure. This examine offers an in-depth evaluation of the assault and gives suggestions to mitigate the chance of future assaults.

Investigating the primary section of the assault

Preliminary intrusion

The focused asset was the print server, which we discovered uncommon. Nevertheless, upon additional investigation we concluded the attacker misidentified the asset as a Area Controller (DC), because it had not too long ago been repurposed from a DC to a print server. The attacker wanted each native administrator credentials and kernel-level entry to efficiently run AuKill and disable SentinelOne on the asset. To realize these native administrator credentials, the attacker efficiently brute-forced an administrator account. Shortly after the compromise, this account was noticed making unauthorized registry adjustments.

 screen shot of USM IOCs for Aukill 

Aukill metadata for ioc

Establishing a beachhead

After compromising the native administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging space for subsequent phases of their assault. All AuKill-related binaries and scripts had been executed from this path, with the innocuous “Music” folder title serving to to hide their malicious actions.

seemingly innocent Music file - not innocent!

AuKill malware has been discovered to function utilizing two Home windows providers named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In different variants, it targets completely different EDRs, equivalent to Sophos, by using corresponding Home windows providers like “aSophos.exe” and “aSophosX.exe”. 

Aukill mitigated - put in quarantine

Establishing persistence

We additionally found “aSentinel.exe” working from “C:Windowssystem32”, indicating that the attackers tried to determine a foothold on the compromised server. Malware authors incessantly goal the system32 folder as a result of it’s a trusted location, and safety software program might not scrutinize information inside it as intently as these in different areas. This will help malware bypass safety measures and stay hidden. It’s probably that the malware was initially positioned within the “UsersAdministratorMusicaSentinel” listing and later copied to the system32 listing for persistence.

how Aukill keeps persistent

Community reconnaissance

Our investigation additionally revealed that PCHunter, a publicly accessible utility beforehand exploited in ransomware incidents like Dharma, was working from the “UsersAdministratorMusicaSentinel” listing. This implies that the attackers used PCHunter as a reconnaissance instrument to survey the shopper’s community earlier than deploying the EDR killer malware. Moreover, PCHunter allows risk actors to terminate packages and interface straight with the Home windows kernel, which aligns with the wants of the attacker. We noticed PCHunter producing a number of randomly named .sys information, as illustrated beneath:

Aukill using PCHunter for reconnaisance

Stopping knowledge restoration

We discovered that the attacker deleted shadow quantity copies from the print server. Home windows creates these copies to revive information and folders to earlier variations in case of information loss. By eradicating the shadow copies, the attacker was making an attempt to make it tougher for our shopper to get better their information in the event that they had been efficiently encrypted. Though no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This data, along with the utilization of PCHunter and the staging of the EDR killer malware, paints a extra full image of the attacker’s goals and techniques.

Bypassing native Home windows safety

With all these items in place, the attacker final wanted to amass kernel-level entry. Regardless of gaining administrator rights early on, the attacker didn’t have sufficient management over the system to kill SentinelOne right now. EDR options are categorised as important by Home windows and are protected against being turned off by attackers after they escalate privileges. To efficiently circumvent these safeguards, the attacker would want to journey one stage deeper into the working system and achieve kernel-level entry to the machine.

Investigating the second section of the assault

Dropping the susceptible driver

Our crew found that AuKill had changed the present Course of Explorer driver, PROCEXP152.sys, with an outdated and susceptible model named PROCEXP.SYS (from Course of Explorer launch model 16.32), situated within the C:WindowsSystem32drivers listing. The alarm screenshot beneath demonstrates how AuKill swapped the prevailing driver with this older model, making the system inclined to additional exploitation.

 USM screen - second phase of Aukill remediation

Home windows incorporates a safety characteristic referred to as Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a legitimate code signing authority earlier than they’ll run. To bypass this safety measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated within the SentinelOne screenshot beneath, the motive force is signed and verified by Microsoft. Moreover, the originating course of was aSentinel.exe, an executable created to disable SentinelOne.

aukill remediation

Buying kernel-level entry

Course of Explorer, a reputable system monitoring instrument developed by Microsoft’s Sysinternals crew, allows directors to look at and handle purposes’ ongoing processes, in addition to their related threads, handles, and DLLs.

Upon startup, Course of Explorer masses a signed kernel-mode driver, facilitating interplay with the system’s kernel, which is chargeable for managing {hardware} and assets. Usually, that driver is PROCEXP152.sys. The attacker changed the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, using what is called a BYOVD (Carry Your Personal Weak Driver) assault. The attacker used this methodology to take advantage of the now susceptible kernel mode driver to achieve the kernel-level entry they wanted to efficiently kill SentinelOne.

Killing SentinelOne

The kernel-mode driver utilized by Course of Explorer has the distinctive skill to terminate handles which are inaccessible even to directors. A deal with is an identifier that corresponds to a particular useful resource opened by a course of, equivalent to a file or a registry key. At this level, AuKill hijacked Course of Explorer’s kernel driver to particularly goal protected handles related to SentinelOne processes working on the print server. AuKill then generated a number of threads to make sure that these EDR processes remained disabled and didn’t resume. Every thread targeting a sure SentinelOne element and often checked to see if the focused processes had been lively. In the event that they had been, AuKill would terminate them. 

Response

Buyer interplay

At this level, the attacker had gained privileged entry to the asset, deployed their malware, and efficiently killed the endpoint safety answer, SentinelOne. Primarily based on the Cyber Kill Chain methodology developed by Lockheed Martin, we will conclude that the attacker had now efficiently reached the “Command and Management” stage. Nevertheless, the attacker didn’t attain the “Actions on Targets” stage, as SentinelOne managed to disrupt ransomware deployment sufficient earlier than it was killed to stop any further harm.

Any makes an attempt to re-deploy malware or transfer laterally following the disablement of the EDR had been thwarted by our crew, who swiftly alerted the shopper to the exercise and suggested that the asset be taken offline and remoted from the remainder of the community. Our crew knowledgeable the shopper that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our risk hunters completely overview their surroundings, w e reassured the shopper that no delicate data was exfiltrated or encrypted. In response to the assault, the shopper moved to rebuild their print server and reinstall SentinelOne.

Suggestions

As BYOVD assaults to bypass EDR software program grow to be extra widespread, we strongly advise blacklisting outdated drivers with a recognized historical past of exploitation. Moreover, we encourage our shoppers to take care of a list of the drivers put in on their methods, guaranteeing they continue to be present and safe. Lastly, we suggest bolstering the safety of administrator accounts to defend in opposition to brute power assaults, because the incident detailed on this weblog submit couldn’t have transpired with out the preliminary privileged person compromise.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles