Attackers now use legitimate tools to disable protection and steal data.
The Malwarebytes team has discovered that the RansomHub ransomware group is using the legitimate TDSSKiller tool to disable the EDR tools on the device. In addition to TDSSKiller, cybercriminals also use LaZagne to collect data. These programs have long been known among cybercriminals, however, this is the first time that they have been used by RansomHub.
TDSSKiller, originally developed by Kaspersky Lab to remove rootkits, was used to disable EDR systems. After conducting reconnaissance and identifying accounts with elevated privileges, RansomHub attempted to disable the MBAMService protection service.
The tool was run from a temporary directory using a dynamically generated filename to make detection more difficult. Since TDSSKiller is a legitimate program with a valid certificate, many security systems do not recognize the hackers' actions as a threat.
After shutting down the security systems, RansomHub launched the LaZagne tool to collect credentials from the infected systems. The program extracts passwords from various applications such as browsers, email clients, and databases, allowing attackers to escalate their privileges and move around the network. In this case, the goal of the cybercriminals was to gain access to the database, which made it possible to control critical systems.
During the attack, LaZagne created more than 60 files, most of which contained logins and passwords. To hide the traces of the program, the hackers also deleted some files after the operation was completed.
Detecting LaZagne is easy enough, as most antiviruses flag it as malware. However, if TDSSKiller has been used to disable protection systems, then the program's activity becomes invisible to most tools.
ThreatDown urges organizations to take extra precautions to protect against such attacks. In particular, it is recommended to limit the use of vulnerable drivers such as TDSSKiller and keep an eye out for suspicious commands used on systems. It is also important to segment the network and isolate critical systems to minimize the risks of compromised credentials.
Source
The Malwarebytes team has discovered that the RansomHub ransomware group is using the legitimate TDSSKiller tool to disable the EDR tools on the device. In addition to TDSSKiller, cybercriminals also use LaZagne to collect data. These programs have long been known among cybercriminals, however, this is the first time that they have been used by RansomHub.
TDSSKiller, originally developed by Kaspersky Lab to remove rootkits, was used to disable EDR systems. After conducting reconnaissance and identifying accounts with elevated privileges, RansomHub attempted to disable the MBAMService protection service.
The tool was run from a temporary directory using a dynamically generated filename to make detection more difficult. Since TDSSKiller is a legitimate program with a valid certificate, many security systems do not recognize the hackers' actions as a threat.
After shutting down the security systems, RansomHub launched the LaZagne tool to collect credentials from the infected systems. The program extracts passwords from various applications such as browsers, email clients, and databases, allowing attackers to escalate their privileges and move around the network. In this case, the goal of the cybercriminals was to gain access to the database, which made it possible to control critical systems.
During the attack, LaZagne created more than 60 files, most of which contained logins and passwords. To hide the traces of the program, the hackers also deleted some files after the operation was completed.
Detecting LaZagne is easy enough, as most antiviruses flag it as malware. However, if TDSSKiller has been used to disable protection systems, then the program's activity becomes invisible to most tools.
ThreatDown urges organizations to take extra precautions to protect against such attacks. In particular, it is recommended to limit the use of vulnerable drivers such as TDSSKiller and keep an eye out for suspicious commands used on systems. It is also important to segment the network and isolate critical systems to minimize the risks of compromised credentials.
Source
