Tuesday, March 11, 2025
Homecyber securityResearchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

Published on

SIEM as a Service

Follow Us on Google News

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is primarily known for targeting the U.S. retail, restaurant, and hospitality sectors since mid-2015. 

In their attacks, the FIN7 group primarily uses several tactics and techniques like spearphishing attachments and links, compromising software supply chains, and exploiting public-facing applications.

FIN7’s “AvNeutralizer” anti-EDR tool was discovered by Sentinel Labs in July 2024, and it’s been identified that it uses a private packer dubbed “PackXOR,” which may have broader applications beyond FIN7.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

AvNeutralizer EDR Killer Unpacked

AvNeutralizer is also known as AuKill; it’s a sophisticated tool that has been circulating since 2022 on underground forums like:-

  • xss[.]is
  • exploit[.]in

Its primary function is to disable Endpoint Detection and Response (EDR) software, which it achieves by exploiting vulnerable drivers to terminate EDR-related processes directly from the kernel level, reads Harfanglab analysis.

AvNeutralizer employs a custom packer called PackXOR, and initially, it’s been associated with the FIN7 APT group. 

Packing workflow (Source – Harfanglab)

This packer has been observed protecting a variety of payloads beyond the usual activities of the FIN7 APT. 

Unpacking workflow (Source – Harfanglab)

PackXOR’s structure consists of two main sections, and here below we have mentioned them:- 

A 40-byte header containing crucial information like XOR keys and size data.The actual packed payload. 

The unpacking process is complex, as it involves two separate XOR operations and LZNT1 decompression. 

To further obfuscate its operations, the PackXOR uses run-time dynamic linking and encrypts API function names using a combination of XOR and subtraction operations. 

This makes the static analysis particularly more sophisticated and challenging. 

Moreover, AvNeutralizer’s custom packer, PackXOR, has been found to protect other malicious payloads like the XMRig cryptominer and the R77 rootkit. 

In some cases, these payloads are further obfuscated using additional layers like the open-source SilentCryptoMiner or even the commercial packing tools.

This highlights the complex and multi-layered approach of modern malware that makes use of these things to evade detection.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

“Eleven11bot” Botnet Compromises 30,000 Webcams in Massive Attack

Cybersecurity experts have uncovered a massive Distributed Denial-of-Service (DDoS) botnet known as "Eleven11bot."This new...

SideWinder APT Deploys New Tools in Attacks on Military & Government Entities

The SideWinder Advanced Persistent Threat (APT) group has been observed intensifying its activities, particularly...

Apache Pinot Vulnerability Allows Attackers to Bypass Authentication

A significant security vulnerability affecting Apache Pinot, an open-source distributed data store designed for...

Lazarus Hackers Exploit 6 NPM Packages to Steal Login Credentials

North Korea's Lazarus Group has launched a new wave of attacks targeting the npm...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

“Eleven11bot” Botnet Compromises 30,000 Webcams in Massive Attack

Cybersecurity experts have uncovered a massive Distributed Denial-of-Service (DDoS) botnet known as "Eleven11bot."This new...

SideWinder APT Deploys New Tools in Attacks on Military & Government Entities

The SideWinder Advanced Persistent Threat (APT) group has been observed intensifying its activities, particularly...

Apache Pinot Vulnerability Allows Attackers to Bypass Authentication

A significant security vulnerability affecting Apache Pinot, an open-source distributed data store designed for...