Kickidler employee monitoring tool targeted by ransomware actors

Ransomware operations leverage legitimate Kickidler employee monitoring software for reconnaissance, tracking victims’ activities, and harvesting credentials after breaching networks.

Researchers who observed the attacks claimed that the Qilin and Hunters International ransomware affiliates were the perpetrators. Based on reports, these groups installed Kickidler, a tool capable of capturing keystrokes, taking screenshots, and creating screen videos.

The developer of Kickidler claims that over 5,000 organisations in 60 countries use the tool, which offers visual monitoring and data loss prevention features.

The attacks commenced when threat actors placed Google Ads that appeared when users searched for RVTools, a free Windows utility for managing VMware vSphere deployments.

Clicking on the ad will redirect the target to a fake RVTools site (rv-tool[.]net) promoting a trojanised program version.

This malicious program acts as a loader, downloading and executing the SMOKEDHAM PowerShell .NET backdoor, facilitating the installation of Kickidler on compromised devices.

Although these attacks primarily targeted enterprise administrators, whose accounts generally provide privilege upon compromise, researchers suspect threat actors may have retained access to victims’ systems for an extended period to gather credentials necessary for accessing off-site cloud backups without detection.

 

The Kickidler feature is a surprisingly beneficial tool for threat actors.

 

According to investigations, Kickidler facilitates such attacks by capturing keystrokes and web pages from an administrator’s workstation.

This tactic enables threat actors to pinpoint off-site cloud backups and obtain the passwords needed to access them without engaging in memory dumps or other high-risk actions that might raise alarms.

In both recorded incidents, after resuming malicious activities on the breached networks, the ransomware operators executed payloads that targeted the victims’ VMware ESXi infrastructure, encrypting VMDK virtual hard disk drives and causing extensive disruption.

While employee monitoring software is not a standard tool for ransomware groups, they have a long history of abusing legitimate RMM tools.

To mitigate such threats, security professionals are recommended to audit all installed remote access tools and verify the legitimacy of any RMM software. Application control policies should also be enforced to prevent unauthorised RMM software and permit only approved remote desktop tools and secure remote access solutions.