Read Time:1 Minute, 15 Second
Kaspersky Lab’s TDSSKiller is a widely used free utility for detecting and removing rootkits. However, a recent cyberattack campaign by the RansomHub ransomware gang has leveraged TDSSKiller to disable EDR systems, compromising their ability to detect and respond to malicious activity.
Attack Strategy
RansomHub’s attack strategy involves two tools:
- TDSSKiller: Used as a legitimate rootkit removal tool, but repurposed to disable EDR services.
- LaZagne: Employed for harvesting credentials, providing attackers with further access to the compromised system.
Execution
The attack unfolds through several steps: - Network Reconnaissance: Attackers gather information about the target system, including administrator privileges.
- Disabling EDR Services: TDSSKiller is executed through command-line scripts to disable critical security services like Malwarebytes Anti-Malware Service.
- Credential Harvesting: LaZagne is deployed to extract database credentials, enabling attackers to move laterally within the network and access sensitive systems.
Mitigations
To mitigate the risks associated with this attack, organizations should implement the following measures: - Restrict BYOVD Exploits: Implement controls to prevent the execution of vulnerable drivers brought in from external devices.
- Isolate Critical Systems: Separate critical systems from the general network to minimize the impact of potential compromises.
Conclusion
RansomHub’s use of TDSSKiller to disable EDR is a concerning development that highlights the evolving tactics and techniques employed by cybercriminals. Organizations must remain vigilant and adopt comprehensive cybersecurity measures to protect their systems from such threats. By implementing appropriate mitigations and leveraging robust EDR solutions, businesses can enhance their ability to detect and respond to malicious attacks, minimizing their impact on operations and data.
