Tuesday, March 4, 2025
Homecyber securityResearchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

Published on

SIEM as a Service

Follow Us on Google News

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is primarily known for targeting the U.S. retail, restaurant, and hospitality sectors since mid-2015. 

In their attacks, the FIN7 group primarily uses several tactics and techniques like spearphishing attachments and links, compromising software supply chains, and exploiting public-facing applications.

FIN7’s “AvNeutralizer” anti-EDR tool was discovered by Sentinel Labs in July 2024, and it’s been identified that it uses a private packer dubbed “PackXOR,” which may have broader applications beyond FIN7.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

AvNeutralizer EDR Killer Unpacked

AvNeutralizer is also known as AuKill; it’s a sophisticated tool that has been circulating since 2022 on underground forums like:-

  • xss[.]is
  • exploit[.]in

Its primary function is to disable Endpoint Detection and Response (EDR) software, which it achieves by exploiting vulnerable drivers to terminate EDR-related processes directly from the kernel level, reads Harfanglab analysis.

AvNeutralizer employs a custom packer called PackXOR, and initially, it’s been associated with the FIN7 APT group. 

Packing workflow (Source – Harfanglab)

This packer has been observed protecting a variety of payloads beyond the usual activities of the FIN7 APT. 

Unpacking workflow (Source – Harfanglab)

PackXOR’s structure consists of two main sections, and here below we have mentioned them:- 

A 40-byte header containing crucial information like XOR keys and size data.The actual packed payload. 

The unpacking process is complex, as it involves two separate XOR operations and LZNT1 decompression. 

To further obfuscate its operations, the PackXOR uses run-time dynamic linking and encrypts API function names using a combination of XOR and subtraction operations. 

This makes the static analysis particularly more sophisticated and challenging. 

Moreover, AvNeutralizer’s custom packer, PackXOR, has been found to protect other malicious payloads like the XMRig cryptominer and the R77 rootkit. 

In some cases, these payloads are further obfuscated using additional layers like the open-source SilentCryptoMiner or even the commercial packing tools.

This highlights the complex and multi-layered approach of modern malware that makes use of these things to evade detection.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Pathfinder AI – Hunters Announces New AI Capabilities for Smarter SOC Automation

Pathfinder AI expands Hunters' vision for AI-driven SOCs, introducing Agentic AI for autonomous investigation...

Google Secretly Tracks Android Devices Even Without User-Opened Apps

A recent technical study conducted by researchers at Trinity College Dublin has revealed that...

LLMjacking – Hackers Abuse GenAI With AWS NHIs to Hijack Cloud LLMs

In a concerning development, cybercriminals are increasingly targeting cloud-based generative AI (GenAI) services in...

Microsoft Strengthens Trust Boundary for VBS Enclaves

Microsoft has introduced a series of technical recommendations to bolster the security of Virtualization-Based...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Pathfinder AI – Hunters Announces New AI Capabilities for Smarter SOC Automation

Pathfinder AI expands Hunters' vision for AI-driven SOCs, introducing Agentic AI for autonomous investigation...

Google Secretly Tracks Android Devices Even Without User-Opened Apps

A recent technical study conducted by researchers at Trinity College Dublin has revealed that...

LLMjacking – Hackers Abuse GenAI With AWS NHIs to Hijack Cloud LLMs

In a concerning development, cybercriminals are increasingly targeting cloud-based generative AI (GenAI) services in...