Sophos, a cybersecurity company, recently released a report stating that hackers are increasingly using a new tool called “Aukill” to disconnect protective EDR systems on victims’ computers. This allows for the deployment of backdoors and carrier programs in BYOVD (bring your own vulnerability device) attacks.
The Aukill tool places the vulnerable driver “ProcExp.sys” next to the one used by the legitimate third-party utility, Process Explorer v16.32. This utility helps collect information about Windows active processes. By “pretending” to be the TrustedinStaller service, the installer of Windows modules, Aukill increases its powers to system level.
In order to turn off security software, Aukill launches multiple flows at once to constantly check and complete the processes/services of EDR solutions, preventing their restart.
The exploitation of vulnerabilities can include various types of attacks, such as code injection, use of botnets, phishing, and the spread of harmful software. Attackers can use these attacks to steal personal data, destroy systems, extort victims or carry out other unscrupulous actions.
To combat “exploitation in the wild,” the necessary steps include detection of vulnerabilities, development and use of patches, updating antivirus databases, and educating users on basic cybersecurity principles to reduce the risk of attacks.