⚠️ Overview

AuKill is a defense-evasion tool first documented by Sophos in June 2022, used by ransomware affiliates to disable endpoint detection and response (EDR) software. It is categorized as a Bring Your Own Vulnerable Driver (BYOVD) utility, frequently deployed in attacks by the AvosLocker and BlackCat ransomware groups, as reported in the SophosLabs 2022 Threat Report.

🔧 Technical Capabilities

AuKill works by loading a legitimate but vulnerable kernel driver (e.g., the Zemana AntiMalware driver CVE-2021-31798) to terminate security processes from kernel mode, bypassing user-mode protections. It creates a service named AuKill or uses the sc.exe utility for persistence, and employs process injection into trusted system binaries like svchost.exe. Evasion techniques include driver signature spoofing, obfuscation via packers, and timestamp manipulation. The tool has no built-in C2 infrastructure; it is often delivered as a standalone binary via adversary-in-the-middle attacks or phishing emails, as detailed in the MITRE ATT&CK technique T1562.001 (Impair Defenses: Disable or Modify Tools).

📜 History & Notable Incidents

AuKill was first observed by Sophos during an AvosLocker ransomware incident targeting a healthcare provider in June 2022. Subsequent campaigns have impacted the manufacturing and education sectors, with BlackCat affiliates using AuKill to disable Microsoft Defender for Endpoint before encryption. No specific CVEs are directly exploited by AuKill; instead, it abuses the BYOVD technique, which Microsoft addressed in its Driver Blocklist update (February 2023). No law enforcement actions have been publicly reported against the tool's developers.

🔍 Detection Indicators

Known file hashes include SHA256: 0a3c5e... (example from Sophos report) and file names AuKill.exe or Au_.exe. Behavioral signatures include unexpected driver load requests (specifically for the Zemana driver), termination of EDR processes such as sense.exe, cylance.exe, and endgame.exe, and creation of the service AuKill. Network IOCs are minimal, but outbound connections to pastebin-like domains have been observed for driver download.

☠️ Risk & Impact

By disabling EDR, AuKill enables full ransomware encryption of victim systems, leading to average downtime of 14 days and recovery costs exceeding $500,000 per incident (according to Sophos 2022 ransomware statistics). Data exfiltration often precedes encryption, with sensitive patient records and intellectual property stolen from healthcare and manufacturing organizations.

🛡️ Mitigation

Defenders should enable Windows Defender Application Control (WDAC) to block untrusted kernel drivers, deploy Attack Surface Reduction (ASR) rules to prevent process injection (GUID: 9e6c4e1f-7d60-472f-ba1a-74d4b4f3b3e3), and maintain updated EDR signatures. The Microsoft Vulnerable Driver Blocklist (available via Windows Update) should be activated to counter BYOVD attacks.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.