FIN7 Sells AvNeutralizer EDR Bypass Tool on the Darknet
Researchers have discovered that the hacker group FIN7 (also known as Sangria Tempest, Carbon Spider, and Carbanak) is selling its custom AvNeutralizer tool on the darknet. This tool is designed to bypass EDR (Endpoint Detection and Response) solutions in corporate networks.
FIN7 has been active for over a decade, since 2013. Initially, the group focused on PoS (Point-of-Sale) attacks to steal payment data, but later shifted to targeting large companies with ransomware. FIN7 is known for sophisticated phishing and social engineering attacks to gain initial access to corporate networks. For example, there was a case where hackers posed as BestBuy and sent malicious USB drives to their targets.
AvNeutralizer: A Custom EDR Bypass Tool
This week, SentinelOne specialists reported that one of FIN7’s custom tools, AvNeutralizer (also known as AuKill), is being sold online. AvNeutralizer is used to disable security software. The tool was first observed during BlackBasta ransomware attacks in 2022. At that time, BlackBasta was the only group using it, leading researchers to suspect a connection between the hackers. However, it was later found that AvNeutralizer was used in attacks by several other ransomware groups, indicating wider distribution.
“Since early 2023, our telemetry data shows numerous attacks using various versions of AvNeutralizer,” SentinelOne researchers stated. “About 10 of these were manually operated ransomware attacks deploying well-known RaaS (Ransomware-as-a-Service) like AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.”
Further investigation revealed that since 2022, individuals using the aliases goodsoft, lefroggy, killerAV, and Stupor have been selling AV Killer on Russian-language hacker forums for prices ranging from $4,000 to $15,000.
How AvNeutralizer Works
A 2023 report by Sophos detailed how AvNeutralizer/AuKill uses the legitimate SysInternals Process Explorer driver to terminate antivirus processes running on a device. At the time, attackers claimed the tool could disable any antivirus or EDR software, including Windows Defender, Sophos, SentinelOne, Panda, Elastic, and Symantec products.
SentinelOne analysts have now found that FIN7 updated AvNeutralizer to use the Windows ProcLaunchMon.sys driver to “suspend” processes, causing them to malfunction. “AvNeutralizer uses a combination of drivers and operations to trigger failures in specific implementations of protected processes, ultimately resulting in a denial-of-service state,” SentinelOne explained. “The tool uses the ProcLaunchMon.sys driver, which is available by default in the system drivers directory, along with updated versions of the Process Explorer driver (version 17.02), which has been enhanced to abuse inter-process operations and is not currently blocked by Microsoft’s WDAC list.”
Other FIN7 Tools and Ongoing Threat
SentinelOne also discovered additional custom tools and malware used by FIN7 but not sold to other criminals, including:
- Powertrash (a PowerShell backdoor)
- Diceloader (a lightweight backdoor controlled via C2)
- Core Impact (a penetration testing toolkit)
- An SSH-based backdoor
Researchers conclude that FIN7 remains a serious threat to businesses worldwide, given their ongoing development and improvement of tools and techniques, as well as the sale of software to other criminals.