FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is primarily known for targeting the U.S. retail, restaurant, and hospitality sectors since mid-2015.
In their attacks, the FIN7 group primarily uses several tactics and techniques like spearphishing attachments and links, compromising software supply chains, and exploiting public-facing applications.
FIN7’s “AvNeutralizer” anti-EDR tool was discovered by Sentinel Labs in July 2024, and it’s been identified that it uses a private packer dubbed “PackXOR,” which may have broader applications beyond FIN7.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
AvNeutralizer EDR Killer Unpacked
AvNeutralizer is also known as AuKill; it’s a sophisticated tool that has been circulating since 2022 on underground forums like:-
Its primary function is to disable Endpoint Detection and Response (EDR) software, which it achieves by exploiting vulnerable drivers to terminate EDR-related processes directly from the kernel level, reads Harfanglab analysis.
AvNeutralizer employs a custom packer called PackXOR, and initially, it’s been associated with the FIN7 APT group.
This packer has been observed protecting a variety of payloads beyond the usual activities of the FIN7 APT.
PackXOR’s structure consists of two main sections, and here below we have mentioned them:-
A 40-byte header containing crucial information like XOR keys and size data.The actual packed payload.
The unpacking process is complex, as it involves two separate XOR operations and LZNT1 decompression.
To further obfuscate its operations, the PackXOR uses run-time dynamic linking and encrypts API function names using a combination of XOR and subtraction operations.
This makes the static analysis particularly more sophisticated and challenging.
Moreover, AvNeutralizer’s custom packer, PackXOR, has been found to protect other malicious payloads like the XMRig cryptominer and the R77 rootkit.
In some cases, these payloads are further obfuscated using additional layers like the open-source SilentCryptoMiner or even the commercial packing tools.
This highlights the complex and multi-layered approach of modern malware that makes use of these things to evade detection.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Pathfinder AI expands Hunters' vision for AI-driven SOCs, introducing Agentic AI for autonomous investigation and…
A recent technical study conducted by researchers at Trinity College Dublin has revealed that Google…
In a concerning development, cybercriminals are increasingly targeting cloud-based generative AI (GenAI) services in a…
Microsoft has introduced a series of technical recommendations to bolster the security of Virtualization-Based Security…
A sophisticated cyber espionage campaign targeting the aviation and satellite communications sectors in the United…
Microsoft has announced the removal of the Data Encryption Standard (DES) encryption algorithm from Kerberos…