New RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

RansomHub has recently employed a novel attack method utilizing TDSSKiller and LaZagne, where TDSSKiller, traditionally used to disable EDR systems, was deployed to compromise network defenses. 

Subsequently, LaZagne was used to harvest credentials from compromised systems, which is unprecedented in RansomHub’s operations and was not documented in CISA’s recent advisory. 

The attack sequence began with reconnaissance activities, including admin group enumeration, to identify vulnerable entry points into the target network.

- Advertisement -

RansomHub, a malicious software, employed TDSSKiller, a legitimate anti-rootkit tool developed by Kaspersky, to compromise system security. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

After assessing the system’s vulnerabilities and privileges, it exploited TDSSKiller’s capabilities to disable crucial security services, such as Malwarebytes Anti-Malware Service, by executing a command-line script or batch file, which aimed to create a more favorable environment for the ransomware to operate without significant interference from security measures.

The attackers executed TDSSKiller with the -dcsvc flag to target the MBAMService and attempted to disable this service, likely to interfere with malware protection. 

The executable was run from a temporary directory with a randomly generated filename, suggesting an attempt to avoid detection, which is common for malware that tries to evade security measures and gain persistence on the system.

LockBit ransomware gang has been exploiting TDSSKiller’s “-dcsvc” parameter to delete Windows services, effectively removing their registry keys and associated executables, which hinders the ability of security software, such as Windows Defender Antimalware Client, to detect and mitigate the ransomware attack. 

By targeting specific services, the attackers can disrupt critical system functions and increase the likelihood of successful data encryption.

TDSSKiller.exe is a malicious executable file whose SHA-256 hash, MD5 hash, and file size are unique identifiers that can be used to detect and block it. 

The file is likely part of the TDSS rootkit, which is known for its advanced anti-detection techniques and ability to compromise computer systems, while it’s important to take immediate action to remove this file from the system and prevent further damage.

RansomHub, exploiting compromised security, attempted to deploy LaZagne, a credential-harvesting tool, to extract sensitive database credentials whose execution resulted in 60 file writes, likely storing harvested credentials, and 1 file deletion, potentially to cover up traces. 

Accessing database credentials could have granted RansomHub significant control over critical infrastructure and facilitated privilege escalation within the compromised network.

The provided information indicates the presence of a potentially malicious executable file named “LaZagne.exe.,” which has a SHA-256 hash of 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486, a file size of 9.66 MB, and an MD5 hash of 5075f994390f9738e8e69f4de09debe6. 

Given the file name and the associated hashes, it’s highly likely that this executable is designed to extract credentials from various sources, including web browsers, email clients, and password managers, making it a significant security threat.

Threat Down identified security software (TDSSKiller) flagged as a risk and a credential stealer (LaZagne) to improve ransomware defense and to tighten EDR posture: Limit vulnerable driver usage (like TDSSKiller, especially with suspicious flags) through BYOVD controls. 

Network segmentation can also isolate critical systems, preventing attackers with stolen credentials from reaching sensitive data by restricting lateral movement within the network.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar