Tuesday, July 23, 2024

Kasseika Ransomware Exploits Driver Functionality to Kill Antivirus

Ransomware is a tool that hackers use to extort money from their targets like individuals, businesses, and governments. The malware encrypts the target’s data and demands payment to unlock it.

This malicious strategy increases the possibility of payment by giving threat actors financial profits in the form of bitcoin in exchange for vital information.

Cybersecurity researchers at Trend Micro recently discovered that threat actors are actively exploiting the driver functionality to kill Antivirus programs.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Kasseika Ransomware Kill’s Antivirus

In 2023, Kasseika ransomware joined the BYOVD trend, following Akira, BlackByte, and AvosLocker. They used Martini driver to disable antivirus programs that resemble the BlackMatter with pseudo-ransom extensions. 

This suggests a mature actor with access to BlackMatter’s source code previously linked to DarkSide and ALPHV. Since its 2021 shutdown, exclusive ransomware groups have adapted BlackMatter’s old code for new strains.

Infection chain (Source - Trend Micro)
Infection chain (Source – Trend Micro)

Kasseika ransomware employs targeted phishing for initial access by gathering credentials and using PsExec to move within the network. 

It exploits Martini.sys to disable security tools, which helps terminate processes and leverages FindWindowA API to detect security-related processes. 

The script ensures a clean state by setting up flexible variables for future use. Kasseika transfers files, terminates antivirus processes with Martini.exe, and also executes smartscreen_protected.exe as its ransomware binary. The Clear.bat is then executed to erase traces of the operation.

Kasseika ransomware is a Themida-packed 32-bit Windows PE file that employs robust obfuscation and anti-debugging. 

It terminates processes accessing Windows Restart Manager by modifying the registry keys and enumerating session hashes before encryption. 

It erases shadow copies using WMIC queries and decrypts its extension with Base64 encoding. Kasseika uses ChaCha20 and RSA from CryptoPP by generating a modified matrix for encryption. 

After renaming and dropping CBhwKBgQD.README.txt as a ransom note, Kasseika changes the system wallpaper post-encryption.

Kasseika ransomware employs wevutil.exe to discreetly wipe Application, Security, and System event logs that help in evading easy detection and response by security tools.


Here below we have mentioned all the recommendations:-

  • Grant admin rights only when necessary.
  • Regularly update security products and perform scans.
  • Secure backups for critical data.
  • Practice safe email and website habits.
  • Encourage reporting of suspicious emails and files.
  • Educate users on social engineering risks regularly.

Organizations can enhance security with a multilayered strategy by covering the endpoints, email, web, and network entry points. 

The detection of malicious components and suspicious behavior by security solutions is crucial for enterprise protection.


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles