New RansomHub Assault Killing Kaspersky’s TDSSKiller To Disable EDR

RansomHub has not too long ago employed a novel assault methodology using TDSSKiller and LaZagne, the place TDSSKiller, historically used to disable EDR techniques, was deployed to compromise community defenses. 

Subsequently, LaZagne was used to reap credentials from compromised techniques, which is unprecedented in RansomHub’s operations and was not documented in CISA’s current advisory. 

The assault sequence started with reconnaissance actions, together with admin group enumeration, to determine weak entry factors into the goal community.

– Commercial –

RansomHub, a malicious software program, employed TDSSKiller, a authentic anti-rootkit software developed by Kaspersky, to compromise system safety. 

Decoding Compliance: What CISOs Have to Know – Be part of Free Webinar

After assessing the system’s vulnerabilities and privileges, it exploited TDSSKiller’s capabilities to disable essential safety companies, reminiscent of Malwarebytes Anti-Malware Service, by executing a command-line script or batch file, which aimed to create a extra favorable atmosphere for the ransomware to function with out vital interference from safety measures.

The attackers executed TDSSKiller with the -dcsvc flag to focus on the MBAMService and tried to disable this service, more likely to intrude with malware safety. 

The executable was run from a brief listing with a randomly generated filename, suggesting an try to keep away from detection, which is frequent for malware that tries to evade safety measures and acquire persistence on the system.

LockBit ransomware gang has been exploiting TDSSKiller’s “-dcsvc” parameter to delete Home windows companies, successfully eradicating their registry keys and related executables, which hinders the power of safety software program, reminiscent of Home windows Defender Antimalware Shopper, to detect and mitigate the ransomware assault. 

By concentrating on particular companies, the attackers can disrupt crucial system capabilities and enhance the probability of profitable information encryption.

TDSSKiller.exe is a malicious executable file whose SHA-256 hash, MD5 hash, and file dimension are distinctive identifiers that can be utilized to detect and block it. 

The file is probably going a part of the TDSS rootkit, which is thought for its superior anti-detection strategies and skill to compromise pc techniques, whereas it’s necessary to take rapid motion to take away this file from the system and stop additional harm.

RansomHub, exploiting compromised safety, tried to deploy LaZagne, a credential-harvesting software, to extract delicate database credentials whose execution resulted in 60 file writes, doubtless storing harvested credentials, and 1 file deletion, probably to cowl up traces. 

Accessing database credentials may have granted RansomHub vital management over crucial infrastructure and facilitated privilege escalation throughout the compromised community.

The offered data signifies the presence of a probably malicious executable file named “LaZagne.exe.,” which has a SHA-256 hash of 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486, a file dimension of 9.66 MB, and an MD5 hash of 5075f994390f9738e8e69f4de09debe6. 

Given the file title and the related hashes, it’s extremely doubtless that this executable is designed to extract credentials from varied sources, together with net browsers, e mail purchasers, and password managers, making it a major safety menace.

Risk Down recognized safety software program (TDSSKiller) flagged as a threat and a credential stealer (LaZagne) to enhance ransomware protection and to tighten EDR posture: Restrict weak driver utilization (like TDSSKiller, particularly with suspicious flags) by way of BYOVD controls. 

Community segmentation may isolate crucial techniques, stopping attackers with stolen credentials from reaching delicate information by limiting lateral motion throughout the community.

Simulating Cyberattack Eventualities With All-in-One Cybersecurity Platform – Watch Free Webinar