The RansomHub ransomware gang has been utilizing TDSSKiller, a professional software from Kaspersky, to disable endpoint detection and response (EDR) companies on the right track methods.
After taking down the defenses, RansomHub deployed the LaZagne credential-harvesting software to extract logins from varied utility databases that would assist transfer laterally on the community.
TDSSKiller abused in ransomware assaults
Kaspersky created TDSSKiller as a software that may scan the system for the presence of rootkits and bootkits, two sorts of malware which are notably tough to detect and may evade customary safety instruments.
EDR brokers are extra superior options that function, at the least partially, on the kernel degree, as they should monitor and management low-level system actions resembling file entry, course of creation, and community connections, all offering real-time safety in opposition to threats like ransomware.
Cybersecurity firm Malwarebytes studies that they just lately noticed RansomHub abusing TDSSKiller to work together with kernel-level companies utilizing a command line script or batch file that disabled the Malwarebytes Anti-Malware Service (MBAMService) operating on the machine.
Supply: Malwarebytes
The professional software was employed following the reconnaissance and privilege escalation section, and executed from a short lived listing (‘C:Customers
Being a professional software signed with a sound certificates, TDSSKiller doesn’t threat RansomHub’s assault getting flagged or stopped by safety options.
Subsequent, RansomHub used the LaZagne software in an try to extract credentials saved in databases utilizing LaZagne. Within the assault that Malwarebytes investigated, the software generated 60 file writes that had been probably logs of the stolen credentials.
The motion to delete a file might be the results of the attacker attempting to cowl their exercise on the system.
Defending in opposition to TDSSKiller
Detecting LaZagne is simple as most safety instruments flag it as malicious. Nonetheless, its exercise can turn into invisible if TDSSKiller is used to deactivate the defenses.
TDSSKiller is in a grey space, as some safety instruments, together with Malwarebytes’ ThreatDown, label it as ‘RiskWare’, which is also a crimson flag to customers.
The safety agency suggests activating the tamper safety function on the EDR answer, to make it possible for attackers cannot disable them with instruments like TDSSKiller.
Moreover, monitoring for the ‘-dcsvc’ flag, the parameter that disables or deletes companies, and for the execution of TDSSKiller itself may help detect and block the malicious exercise.