FacebookTwitterLinkedIn

FIN7 Begin Selling Security Software Killer

To say that the financially motivated, advanced persistent threat group FIN7 is notorious is an understatement. The Russian-speaking group of hackers has been active since 2013 and primarily focused on financial fraud and stealing credit card details. The group then moved to the ransomware game in a big way.

FIN7 Begin Selling Security Software Killer

DarkSide and BlackMatter ransomware strains have been attributed to the group. FIN7 has also been linked to BlackCat, who, in turn, recently pulled an exit scam on affiliates. Lastly, the group has also been known to impersonate employees of reputable businesses to supply USB devices loaded with malware.

According to research published by Sentinel One, the group is expanding its business model to provide malware tools for a price, similar to the Malware-as-a-Service business model that has become immensely popular over the years.

One tool being sold has drawn the attention of security researchers. That tool is a piece of malware that specializes in evading Endpoint, Detection, and Response (EDR) security software packages. Sentinel One tracks the tool as AvNeutralizer, but it is also known as AuKill.

This is by no means FIN7’s first foray into developing specialized evasion tools. FIN7 has been linked to developing and deploying such tools in ransomware incidents linked to BlackBasta.

Sentinel One researchers discovered that,

Beginning in January 2023, we observed a peak in the usage of updated versions of AvNeutralizer by multiple ransomware groups. This suggests that the tool was no longer exclusive to Black Basta, who shifted several TTPs since our last report and removed AvNeutralizer from its arsenal. We hypothesize that AvNeutralizer was likely sold on criminal underground forums, with Black Basta being one of the early buyers and adopters…After conducting a thorough analysis, we identified multiple advertisements across various underground forums in which we assess with high confidence that these advertisements were promoting the sale of the AvNeutralizer tool.

From approximately the middle of 2022, three well-known underground hacker forums members began posting ads for malware toolsets. The tools sold were adversities such as “AV Killers,” which were designed to evade antivirus and possibly EDR software packages and penetration testing tools.

The three sellers tracked by Sentinel One researchers were “goodsoft,” “lefroggy,” and “killerAV” whose motivations align closely with FIN7.

Researchers further discovered the following,

On March 28th, 2023, a user named “Stupor” advertised an AV killer targeting various security solutions for a starting price of $10,000 on the xss[.]is forum. We collected and analyzed the tool, attributing it with high confidence to an updated version of AvNeutralizer…Considering the available evidence and prior intelligence, we assess with high confidence that “goodsoft”, “lefroggy”, “killerAV” and “Stupor” belong to the FIN7 cluster. Furthermore, these threat actors are likely employing multiple pseudonyms on various forums to mask their true identity and sustain their illicit operations within this network.

AvNeutralizer Analysis

FIN7’s malware arsenal is impressive, to say the least. The Sentinel One report detailing AvNeutralizer reveals that their versatile arsenal includes tools such as Powertrash, Diceloader, Core Impact, an SSH-based backdoor, and AvNeutralizer. The report goes into the nitty-gritty of each of the above-listed malware tools; however, this article will focus on AvNeutralizer.

FIN7 has been looking to tamper with EDR software since 2022, with the first versions of AvNeutralizer being developed in June 2022. These early versions were seen being deployed by the BlackBasta ransomware gang.

These early versions relied on exploiting Process Explorer drivers found on Windows machines, allowing for cross-process operations between admin processes and protected processes directly from the kernel. The tool utilized this weakness to tamper with security solutions installed on the system.

Components deployed to targeted machines will often mimic the names of processes used by EDR solutions.

As for more recent versions, researchers noted,

Subsequent updates of AvNeutralizer, detected in our telemetry starting from early 2023, included minor changes like the naming convention that is usually prefixed with “au” followed by the targeted security solution name (e.g., auSentinel.exe, auSophos.exe, auElastic.exe, auSyma.exe) and the usage of the start key command line parameter. Starting from this version, we observed a significant overlap between what we internally track as AvNeutralizer and the “AuKill” tool documented by Sophos.

Once AvNeutralizer has been unpacked and deployed, it employs several methods to prevent malicious activities from being detected by installed EDR software, including removing the PPL protection through the vulnerable RTCore64.sys driver, sandboxing protected processes, leveraging Restart Manager API and Service Control Manager API.

AvNeutralizer can enforce denial of service operations on installed EDRs using a combination of drivers and malware processes.

Sentinel One has detected several attack campaigns that used SQL injection attacks to gain initial access. Once initial access can be converted into privileged access, FIN7 has several tools, including AvNeutralizer, to turn a bad day into a far worse one.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal