HQ/EMEAFind out how we can help your business
The notorious RansomHub ransomware group has utilised the legitimate Kaspersky utility tool TDSSKiller to deactivate the endpoint detection and response (EDR) services on targeted devices.
Reports show that the malicious group employed the LaZagne credential-harvesting tool to grab logins from multiple app databases, enabling them to navigate the targeted network laterally.
Kaspersky developed the TDSSKiller to scan a system for the presence of rootkits and bootkits. These unwanted programs are two types of malware strains that are notoriously difficult to detect and can bypass regular security solutions.
On the other hand, EDR services are more sophisticated solutions that function, at least partially, at the kernel level. They monitor and manage low-level system operations such as file access, process creation, and network connections while providing real-time protection against threats such as ransomware.
However, the ransomware group recently used TDSSKiller to interface with kernel-level services, disabling the Malwarebytes Anti-Malware Service running on the targeted PC. The genuine utility was used after the survey and privilege escalation phase.
The hackers executed the legitimate utility tool from a temporary directory with a dynamically created filename. Hence, TDSSKiller has allowed RansomHub’s attack to remain discreet and avoid detection or halted by security solutions.
Additionally, RansomHub attempted to extract passwords from databases using the LaZagne tool. Recent research about an attack using the malicious tool uncovered that it generated 60 file writes, most likely logs of stolen credentials.
The TDSSKiller is the primary reason the RansomHub attack is efficient despite using the widely known LaZagne malware.
According to investigations, the LaZagne malware can be easily identified as malicious since it is an already established malicious payload. However, the latest campaign became more elusive since the attackers used TDSSKiller to deactivate security protections.
Researchers recommend that users enable the EDR solution’s tamper protection function to prevent attackers from disabling it using legitimate tools such as TDSSKiller. Monitoring for the ‘-dcsvc’ flag, the parameter that disables or deletes services, and the execution of TDSSKiller itself can also aid in detecting and blocking malicious behaviour.
Organisations should adopt these security measures to avoid the current RansomHub operation since the group heavily relies on legitimate tools that can easily bypass EDR solutions.
