FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is primarily known for targeting the U.S. retail, restaurant, and hospitality sectors since mid-2015.
In their attacks, the FIN7 group primarily uses several tactics and techniques like spearphishing attachments and links, compromising software supply chains, and exploiting public-facing applications.
FIN7’s “AvNeutralizer” anti-EDR tool was discovered by Sentinel Labs in July 2024, and it’s been identified that it uses a private packer dubbed “PackXOR,” which may have broader applications beyond FIN7.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
AvNeutralizer EDR Killer Unpacked
AvNeutralizer is also known as AuKill; it’s a sophisticated tool that has been circulating since 2022 on underground forums like:-
Its primary function is to disable Endpoint Detection and Response (EDR) software, which it achieves by exploiting vulnerable drivers to terminate EDR-related processes directly from the kernel level, reads Harfanglab analysis.
AvNeutralizer employs a custom packer called PackXOR, and initially, it’s been associated with the FIN7 APT group.
This packer has been observed protecting a variety of payloads beyond the usual activities of the FIN7 APT.
PackXOR’s structure consists of two main sections, and here below we have mentioned them:-
A 40-byte header containing crucial information like XOR keys and size data.The actual packed payload.
The unpacking process is complex, as it involves two separate XOR operations and LZNT1 decompression.
To further obfuscate its operations, the PackXOR uses run-time dynamic linking and encrypts API function names using a combination of XOR and subtraction operations.
This makes the static analysis particularly more sophisticated and challenging.
Moreover, AvNeutralizer’s custom packer, PackXOR, has been found to protect other malicious payloads like the XMRig cryptominer and the R77 rootkit.
In some cases, these payloads are further obfuscated using additional layers like the open-source SilentCryptoMiner or even the commercial packing tools.
This highlights the complex and multi-layered approach of modern malware that makes use of these things to evade detection.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Grayscale Investments, a prominent crypto asset manager, has reportedly suffered a data breach affecting 693,635…
A database containing over 1,000 email accounts associated with the National Health Service (NHS) has…
Researchers from Avast have uncovered a vulnerability in the cryptographic schema of the Mallox ransomware,…
A recently discovered vulnerability in Red Hat's NetworkManager, CVE-2024-8260, has raised concerns in the cybersecurity…
Tor Browser 14.0 has been officially launched. It brings significant updates and new features to…
INE Security offers essential advice to protect digital assets and enhance security. As small businesses…