FIN7 Promotes Advanced AvNeutralizer Tool on Cybercrime Forums

The financially motivated cybercrime group FIN7 has been utilizing multiple aliases to promote a single security bypass solution, referred to as AvNeutralizer or AuKill on various dark web criminal forums. This particular solution was specifically developed to bypass security solutions and has thus far been leveraged in attacks by AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. Researchers have determined that a new improved version uses an effective evasion technique that utilizes a Windows driver, ProcLaunchMon.sys, to disrupt and avoid security systems.

Evidence points to FIN7 using a string of pseudonyms to help them cover their real identities and continue operating in illegal undergrounds. For instance, campaigns conducted by FIN7 show that the group launched SQL injection attacks utilizing automation against public-facing applications. Recently, in November, researchers linked FIN7 to EDR evasion tools being used in ransomware attacks associated with the Black Basta group.

Subsequent investigations by cybersecurity firms found the AvNeutralizer tool had been targeting a swathe of endpoint security solutions and was solely in use by one group for six months. This supports the theory of close interaction among the FIN7 group, but the Black Basta gang has not come up openly. After January 2023, several ransomware groups were observed using newer versions of AvNeutralizer, which indicated that the tool was being sold to a broad user base of threat actors on underground forums.

We found numerous AvNeutralizer advertisements in underground forums. For instance, on May 19, 2022, a user named “goodsoft” sold an AV killer tool on the exploit[.]in forum for $4,000.

The rest of the advertisements came in on the xss[.]is forum, placed by user “lefroggy,” at $15,000 on June 14, 2022, and on the RAMP forum, placed by “killerAV,” at $8,000 on June 21, 2022. In one final case, “goodsoft” advertised “PentestSoftware” on the exploit[.]in forum on August 10, 2022, for $6,500 per month, indicating that it is a post-exploitation framework having the ability to infect enterprise networks and to bypass antivirus programs.

Additional advertisements showed up on the RAMP and xss[.]is forums, from “killerAV” and “lefroggy,” respectively, and, on March 28, 2023, “Stupor” published a different advertisement selling an updated AV killer tool on xss[.]is for $10,000. Attribution Analysis Attributioning shows that these aliases—goodsoft, lefroggy, killerAV, and Stupor—are related to the operations of the FIN7 cluster.

The researchers examined the new method used by AvNeutralizer for disabling endpoint security solutions. Among other things, it employs 10 documented techniques to tamper with system security, like removing the PPL protection through the RTCore64.sys driver or the use of the Restart Manager API. Additionally, there is one newly observed technique that leverages a capability in a Windows built-in driver. AvNeutralizer utilizes a number of drivers and operations to induce the DoS condition on protected processes. These involve dropping and loading the process explorer driver (PED.sys), connecting to the driver device, loading the ProcLaunchMon.sys driver, setting up a TTD monitoring session, suspending newly spawned child processes, killing non-protected child processes, and causing the protected process to crash due to communication failures with its suspended child processes. This is the advanced feature of AvNeutralizer that points to its level of capability to disable solutions for endpoint security, working like a potent weapon in the hands of a cybercriminal.