Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,170
- Points
- 113
Popular brands of security products were targeted by hackers.
ARC Labs specialists have discovered and analyzed a new tool used in the Qilin ransomware attacks. This malware, called "Killer Ultra", is designed to disable popular threat detection and response (EDR) tools and antivirus software.
ARC Labs experts conducted an in-depth analysis to understand the full functionality of Killer Ultra and provide tactical threat intelligence for organizations. During the analysis, it was found that Killer Ultra gets permissions at the core level and targets security tools of well-known brands. The program clears all Windows event logs and uses a vulnerable version of the legitimate Zemana AntiLogger protection program to randomly terminate processes.
CVE-2024-1853 — a vulnerability in Zemana AntiLogger that allows attackers to terminate software processes to ensure security. In May 2023, a hacker under the pseudonym "SpyBoy "included this vulnerability in the" Terminator " tool sold on cybercrime forums.
When Killer Ultra starts, it uses the system process "notepad.exe" to hide your activity. The malware replaces the NTDLL system component with the version from "notepad.exe". This helps hide its actions from security programs that can monitor the system.
NTDLL (NT Layer DLL) is a Windows system library that provides an interface between application programs and the operating system kernel. It contains many functions necessary for performing various tasks at the operating system level, such as managing processes, memory, and I / O.
After initialization, Killer Ultra downloads an unaffected copy of NTDLL and extracts the Zemana driver to the local disk. Then the StopGuard service is started, which disables the security processes listed in the program. Killer Ultra targets products such as Symantec Antivirus, Microsoft Windows Defender, and SentinelOne.
To prevent the security tools from running again after a system reboot, Killer Ultra creates two scheduled tasks: "Microsoft Security" and "Microsoft Maintenance", which run the program at system startup.
Killer Ultra also uses the utility "wevtutil.exe" to clean up Windows event logs, which makes it difficult to detect traces of malware activity.
Analysis of the Killer Ultra code revealed the presence of inactive functions that can be used for post-operational purposes. The program can load tools from remote sources, execute processes using the CreateProcessW function, and use virtualization and sandbox functions. These features are not active yet, but may be used in future versions of Killer Ultra.
The Killer Ultra malware poses a serious security problem. Organizations are encouraged to update their detection and response strategies to address this and similar threats.
Source
ARC Labs specialists have discovered and analyzed a new tool used in the Qilin ransomware attacks. This malware, called "Killer Ultra", is designed to disable popular threat detection and response (EDR) tools and antivirus software.
ARC Labs experts conducted an in-depth analysis to understand the full functionality of Killer Ultra and provide tactical threat intelligence for organizations. During the analysis, it was found that Killer Ultra gets permissions at the core level and targets security tools of well-known brands. The program clears all Windows event logs and uses a vulnerable version of the legitimate Zemana AntiLogger protection program to randomly terminate processes.
CVE-2024-1853 — a vulnerability in Zemana AntiLogger that allows attackers to terminate software processes to ensure security. In May 2023, a hacker under the pseudonym "SpyBoy "included this vulnerability in the" Terminator " tool sold on cybercrime forums.
When Killer Ultra starts, it uses the system process "notepad.exe" to hide your activity. The malware replaces the NTDLL system component with the version from "notepad.exe". This helps hide its actions from security programs that can monitor the system.
NTDLL (NT Layer DLL) is a Windows system library that provides an interface between application programs and the operating system kernel. It contains many functions necessary for performing various tasks at the operating system level, such as managing processes, memory, and I / O.
After initialization, Killer Ultra downloads an unaffected copy of NTDLL and extracts the Zemana driver to the local disk. Then the StopGuard service is started, which disables the security processes listed in the program. Killer Ultra targets products such as Symantec Antivirus, Microsoft Windows Defender, and SentinelOne.
To prevent the security tools from running again after a system reboot, Killer Ultra creates two scheduled tasks: "Microsoft Security" and "Microsoft Maintenance", which run the program at system startup.
Killer Ultra also uses the utility "wevtutil.exe" to clean up Windows event logs, which makes it difficult to detect traces of malware activity.
Analysis of the Killer Ultra code revealed the presence of inactive functions that can be used for post-operational purposes. The program can load tools from remote sources, execute processes using the CreateProcessW function, and use virtualization and sandbox functions. These features are not active yet, but may be used in future versions of Killer Ultra.
The Killer Ultra malware poses a serious security problem. Organizations are encouraged to update their detection and response strategies to address this and similar threats.
Source
