Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is primarily known for targeting the U.S. retail, restaurant, and hospitality sectors since mid-2015. 

In their attacks, the FIN7 group primarily uses several tactics and techniques like spearphishing attachments and links, compromising software supply chains, and exploiting public-facing applications.

FIN7’s “AvNeutralizer” anti-EDR tool was discovered by Sentinel Labs in July 2024, and it’s been identified that it uses a private packer dubbed “PackXOR,” which may have broader applications beyond FIN7.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

AvNeutralizer EDR Killer Unpacked

AvNeutralizer is also known as AuKill; it’s a sophisticated tool that has been circulating since 2022 on underground forums like:-

• xss[.]is
• exploit[.]in

Its primary function is to disable Endpoint Detection and Response (EDR) software, which it achieves by exploiting vulnerable drivers to terminate EDR-related processes directly from the kernel level, reads Harfanglab analysis.

AvNeutralizer employs a custom packer called PackXOR, and initially, it’s been associated with the FIN7 APT group. 

This packer has been observed protecting a variety of payloads beyond the usual activities of the FIN7 APT. 

PackXOR’s structure consists of two main sections, and here below we have mentioned them:- 

A 40-byte header containing crucial information like XOR keys and size data.The actual packed payload. 

The unpacking process is complex, as it involves two separate XOR operations and LZNT1 decompression. 

To further obfuscate its operations, the PackXOR uses run-time dynamic linking and encrypts API function names using a combination of XOR and subtraction operations. 

This makes the static analysis particularly more sophisticated and challenging. 

Moreover, AvNeutralizer’s custom packer, PackXOR, has been found to protect other malicious payloads like the XMRig cryptominer and the R77 rootkit. 

In some cases, these payloads are further obfuscated using additional layers like the open-source SilentCryptoMiner or even the commercial packing tools.

This highlights the complex and multi-layered approach of modern malware that makes use of these things to evade detection.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!