Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums

Pierluigi Paganini July 18, 2024

The cybercrime group FIN7 is advertising a security evasion tool in multiple underground forums, cybersecurity company SentinelOne warns.

SentinelOne researchers warn that the financially motivated group FIN7 is using multiple pseudonyms to advertise a security evasion tool in several criminal underground forums. FIN7 developed a tool called AvNeutralizer (also known as AuKill) that can bypass security solutions. The researchers noticed that the tool has been used by various ransomware operations, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.

SentinelLabs researchers discovered a new version of AvNeutralizer that employs a novel technique, leveraging the Windows driver ProcLaunchMon.sys, to interfere and evade security measures.

“New evidence shows FIN7 is using multiple pseudonyms to mask the group’s true identity and sustain its criminal operations in the underground market” reads the report published by SentinelLabs. “FIN7’s campaigns demonstrate the group’s adoption of automated SQL injection attacks for exploiting public-facing applications”

In November, SentinelOne reported a potential link between FIN7 and the use of EDR evasion tools in ransomware attacks involving the Black Basta group.

The investigation conducted by the cybersecurity firm revealed the “AvNeutralizer” tool (aka AuKill) targeted multiple endpoint security solutions and was used exclusively by a single group for six months. This reinforced the hypothesis that the FIN7 group and Black Basta gang might have had a close relationship.

AV Killer Fin7

Starting in January 2023, the experts observed the use of updated versions of AvNeutralizer by multiple ransomware groups, suggesting that the tool was offered to multiple threat actors on underground forums. The researchers identified multiple advertisements on underground forums promoting the sale of AvNeutralizer. On May 19th, 2022, a user named “goodsoft” advertised an AV killer tool for $4,000 on the exploit[.]in forum. Later, on June 14th, 2022, a user named “lefroggy” posted a similar ad on the xss[.]is forum for $15,000. A week later, on June 21st, a user named “killerAV” advertised the tool on the RAMP forum for $8,000.

On August 10, 2022, a user named “goodsoft” advertised “PentestSoftware” for $6,500 per month on the exploit[.]in cybercrime forum. The seller described the solution as a post-exploitation framework with modules designed to infiltrate enterprise networks and evade antivirus programs, was claimed to have been developed over three years at a cost of $1 million. Similar ads by users “killerAV” and “lefroggy” appeared on the RAMP and xss[.]is forums.

On March 28, 2023, “Stupor” advertised an AV killer tool for $10,000 on xss[.]is, which was identified as an updated version of AvNeutralizer. Analysis suggests that “goodsoft,” “lefroggy,” “killerAV,” and “Stupor” are part of the FIN7 cluster, using multiple pseudonyms to mask their identities.

SentinelOne researchers focused on the new technique used by the tool to disable endpoint security solutions. The unpacked AvNeutralizer payload employs relies on 10 techniques to tamper with system security solutions. While many techniques are documented, such as removing PPL protection via the RTCore64.sys driver and using the Restart Manager API, a newly observed technique involves leveraging a Windows built-in driver capability that was previously unknown in the wild.

AvNeutralizer uses multiple drivers and operations to trigger a denial of service (DoS) condition in protected processes. This involves:

  1. Dropping and loading the process explorer driver (PED.sys) and connecting to the driver device.
  2. Loading the ProcLaunchMon.sys driver and configuring a TTD monitoring session.
  3. Adding the targeted process PID to the TTD session, suspending newly spawned child processes.
  4. Killing non-protected child processes using the process explorer driver.
  5. Causing the protected process to crash as it fails to communicate with its suspended child processes.

This new technique highlights AvNeutralizer’s advanced capabilities to disable endpoint security solutions.

“Our investigation into FIN7’s activities highlights its adaptability, persistence and ongoing evolution as a threat group. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks.” concludes the report. “Additionally, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, FIN7)



you might also like

leave a comment