{"id":165863,"date":"2024-07-18T11:03:41","date_gmt":"2024-07-18T11:03:41","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=165863"},"modified":"2024-07-18T11:04:13","modified_gmt":"2024-07-18T11:04:13","slug":"fin7-advertising-security-evasion","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/165863\/cyber-crime\/fin7-advertising-security-evasion.html","title":{"rendered":"Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums"},"content":{"rendered":"
<\/div>\n

The cybercrime group FIN7 is advertising a security evasion tool in multiple underground forums, cybersecurity company SentinelOne warns. <\/gwmw><\/h2>\n\n\n\n

SentinelOne researchers warn that the financially motivated group FIN7<\/a> is using multiple pseudonyms to advertise a security evasion tool in several criminal underground forums. FIN7 developed a tool called AvNeutralizer (also known as AuKill) that can bypass security solutions. The researchers noticed that the tool has been used by various ransomware operations, including AvosLocker<\/a>, MedusaLocker, BlackCat<\/a>, Trigona<\/a>, and LockBit<\/a>. <\/p>\n\n\n\n

SentinelLabs researchers discovered a new version of AvNeutralizer that employs a novel technique, leveraging the Windows driver ProcLaunchMon.sys, to interfere and evade security measures. <\/p>\n\n\n\n

“New evidence shows FIN7 is using multiple pseudonyms to mask the group\u2019s true identity and sustain its criminal operations in the underground market” reads the report<\/a> published by SentinelLabs. “FIN7\u2019s campaigns demonstrate the group\u2019s adoption of automated SQL injection attacks for exploiting public-facing applications”<\/em><\/p>\n\n\n\n

In November, SentinelOne reported a potential\u00a0link<\/a>\u00a0between FIN7 and the use of EDR evasion tools in ransomware attacks involving the Black Basta<\/a> group. <\/p>\n\n\n\n

The investigation conducted by the cybersecurity firm revealed the \u201cAvNeutralizer\u201d tool (aka<\/em>\u00a0AuKill<\/a>) targeted multiple endpoint security solutions and was used exclusively by a single group for six months. This reinforced the hypothesis that the FIN7 group and Black Basta gang might have had a close relationship.<\/p>\n\n\n\n

\"AV<\/a><\/figure>\n\n\n\n

Starting in January 2023, the experts observed the use of updated versions of AvNeutralizer by multiple ransomware groups, suggesting that the tool was offered to multiple threat actors on underground forums. The researchers identified multiple advertisements on underground forums promoting the sale of AvNeutralizer. On May 19th, 2022, a user named \u201cgoodsoft\u201d advertised an AV killer tool for $4,000 on the exploit[.]in forum. Later, on June 14th, 2022, a user named \u201clefroggy\u201d posted a similar ad on the xss[.]is forum for $15,000. A week later, on June 21st, a user named \u201ckillerAV\u201d advertised the tool on the RAMP forum for $8,000.<\/gwmw><\/p>\n\n\n\n

On August 10, 2022, a user named \u201cgoodsoft\u201d advertised “PentestSoftware” for $6,500 per month on the exploit[.]in cybercrime forum. The seller described the solution as a post-exploitation framework with modules designed to infiltrate enterprise networks and evade antivirus programs, was claimed to have been developed over three years at a cost of $1 million. Similar ads by users \u201ckillerAV\u201d and \u201clefroggy\u201d appeared on the RAMP and xss[.]is forums.<\/p>\n\n\n\n

On March 28, 2023, \u201cStupor\u201d advertised an AV killer tool for $10,000 on xss[.]is, which was identified as an updated version of AvNeutralizer. Analysis suggests that \u201cgoodsoft,\u201d \u201clefroggy,\u201d \u201ckillerAV,\u201d and \u201cStupor\u201d are part of the FIN7 cluster, using multiple pseudonyms to mask their identities.<\/p>\n\n\n\n

SentinelOne researchers focused on the new technique used by the tool to disable endpoint security solutions. The unpacked AvNeutralizer payload employs relies on 10 techniques to tamper with system security solutions. While many techniques are documented, such as removing PPL protection via the RTCore64.sys driver and using the Restart Manager API, a newly observed technique involves leveraging a Windows built-in driver capability that was previously unknown in the wild.<\/p>\n\n\n\n

AvNeutralizer uses multiple drivers and operations to trigger a denial of service (DoS) condition in protected processes. This involves:<\/p>\n\n\n\n

    \n
  1. Dropping and loading the process explorer driver (PED.sys) and connecting to the driver device.<\/li>\n\n\n\n
  2. Loading the ProcLaunchMon.sys driver and configuring a TTD monitoring session.<\/li>\n\n\n\n
  3. Adding the targeted process PID to the TTD session, suspending newly spawned child processes.<\/li>\n\n\n\n
  4. Killing non-protected child processes using the process explorer driver.<\/li>\n\n\n\n
  5. Causing the protected process to crash as it fails to communicate with its suspended child processes.<\/li>\n<\/ol>\n\n\n\n

    This new technique highlights AvNeutralizer’s advanced capabilities to disable endpoint security solutions.<\/p>\n\n\n\n

    “Our investigation into FIN7\u2019s activities highlights its adaptability, persistence and ongoing evolution as a threat group. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks.” concludes the report. “Additionally, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group\u2019s impact.”<\/em><\/p>\n\n\n\n

    Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

    Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

    (<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, FIN7)<\/strong><\/p>\n\n\n\n

    <\/gwmw><\/p>\n\n\n\n

    <\/p>\n","protected":false},"excerpt":{"rendered":"

    The cybercrime group FIN7 is advertising a security evasion tool in multiple underground forums, cybersecurity company SentinelOne warns. SentinelOne researchers warn that the financially motivated group FIN7 is using multiple pseudonyms to advertise a security evasion tool in several criminal underground forums. FIN7 developed a tool called AvNeutralizer (also known as AuKill) that can bypass […]<\/p>\n","protected":false},"author":1,"featured_media":165873,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,3,5],"tags":[15229,88,6607,4112,9508,9506,10918,687,841,1533],"class_list":["post-165863","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-cyber-crime","category-hacking","tag-av-killer","tag-cybercrime","tag-fin7","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-pierluigi-paganini","tag-security-affairs","tag-security-news"],"yoast_head":"\n杭州江阴科强工业胶带有限公司