<\/a><\/figure>\n\n\n\nStarting in January 2023, the experts observed the use of updated versions of AvNeutralizer by multiple ransomware groups, suggesting that the tool was offered to multiple threat actors on underground forums. The researchers identified multiple advertisements on underground forums promoting the sale of AvNeutralizer. On May 19th, 2022, a user named \u201cgoodsoft\u201d advertised an AV killer tool for $4,000 on the exploit[.]in forum. Later, on June 14th, 2022, a user named \u201clefroggy\u201d posted a similar ad on the xss[.]is forum for $15,000. A week later, on June 21st, a user named \u201ckillerAV\u201d advertised the tool on the RAMP forum for $8,000.<\/gwmw><\/p>\n\n\n\n
On August 10, 2022, a user named \u201cgoodsoft\u201d advertised “PentestSoftware” for $6,500 per month on the exploit[.]in cybercrime forum. The seller described the solution as a post-exploitation framework with modules designed to infiltrate enterprise networks and evade antivirus programs, was claimed to have been developed over three years at a cost of $1 million. Similar ads by users \u201ckillerAV\u201d and \u201clefroggy\u201d appeared on the RAMP and xss[.]is forums.<\/p>\n\n\n\n
On March 28, 2023, \u201cStupor\u201d advertised an AV killer tool for $10,000 on xss[.]is, which was identified as an updated version of AvNeutralizer. Analysis suggests that \u201cgoodsoft,\u201d \u201clefroggy,\u201d \u201ckillerAV,\u201d and \u201cStupor\u201d are part of the FIN7 cluster, using multiple pseudonyms to mask their identities.<\/p>\n\n\n\n
SentinelOne researchers focused on the new technique used by the tool to disable endpoint security solutions. The unpacked AvNeutralizer payload employs relies on 10 techniques to tamper with system security solutions. While many techniques are documented, such as removing PPL protection via the RTCore64.sys driver and using the Restart Manager API, a newly observed technique involves leveraging a Windows built-in driver capability that was previously unknown in the wild.<\/p>\n\n\n\n
AvNeutralizer uses multiple drivers and operations to trigger a denial of service (DoS) condition in protected processes. This involves:<\/p>\n\n\n\n