July 17, 2024 at 06:10AM
AuKill, a cybercrime tool by FIN7, is evolving to disrupt Windows processes guarded by endpoint detection and response tools. The collective has significantly enhanced their tool, attracting high-level ransomware groups’ attention. By targeting protected processes, AuKill aims to induce a denial-of-service condition, emphasizing the need for robust security solutions against such advanced threats.
Certainly! It seems from the meeting notes that there is a new cybercrime tool called “AuKill,” developed by the FIN7 cybercrime collective, which is specifically designed to undermine endpoint security. The tool employs various user and kernel mode techniques to compromise the security of Windows processes. A new report from SentinelOne indicates that AuKill is gaining popularity among high-level ransomware groups and that FIN7 has updated it with a new technique to put protected processes into a denial-of-service condition.
The notes also mention the evolution of FIN7 from point-of-sale (PoS) malware to ransomware, and how FIN7 began marketing AuKill on cybercrime forums for prices ranging from $4,000 to $15,000. It is noted that ransomware groups, such as Black Basta, AvosLocker, BlackCat, and LockBit, have been observed using AuKill in their attacks.
The new technique of AuKill involves targeting protected processes run by EDR solutions using Windows drivers, resulting in a crash when both parent and child processes are blocked.
SentinelOne recommends that organizations ensure robust anti-tampering protection mechanisms are enabled in their security solutions and also suggests implementing additional security measures, such as kernel-level monitoring and restricting driver access, to enhance protection against these advanced threats.