Thursday, December 5, 2024
HomeCyber AttackNew RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

New RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

Published on

SIEM as a Service

RansomHub has recently employed a novel attack method utilizing TDSSKiller and LaZagne, where TDSSKiller, traditionally used to disable EDR systems, was deployed to compromise network defenses. 

Subsequently, LaZagne was used to harvest credentials from compromised systems, which is unprecedented in RansomHub’s operations and was not documented in CISA’s recent advisory. 

The attack sequence began with reconnaissance activities, including admin group enumeration, to identify vulnerable entry points into the target network.

- Advertisement - SIEM as a Service

RansomHub, a malicious software, employed TDSSKiller, a legitimate anti-rootkit tool developed by Kaspersky, to compromise system security. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

After assessing the system’s vulnerabilities and privileges, it exploited TDSSKiller’s capabilities to disable crucial security services, such as Malwarebytes Anti-Malware Service, by executing a command-line script or batch file, which aimed to create a more favorable environment for the ransomware to operate without significant interference from security measures.

disabling EDR software

The attackers executed TDSSKiller with the -dcsvc flag to target the MBAMService and attempted to disable this service, likely to interfere with malware protection. 

The executable was run from a temporary directory with a randomly generated filename, suggesting an attempt to avoid detection, which is common for malware that tries to evade security measures and gain persistence on the system.

LockBit ransomware gang has been exploiting TDSSKiller’s “-dcsvc” parameter to delete Windows services, effectively removing their registry keys and associated executables, which hinders the ability of security software, such as Windows Defender Antimalware Client, to detect and mitigate the ransomware attack. 

By targeting specific services, the attackers can disrupt critical system functions and increase the likelihood of successful data encryption.

Process Graph

TDSSKiller.exe is a malicious executable file whose SHA-256 hash, MD5 hash, and file size are unique identifiers that can be used to detect and block it. 

The file is likely part of the TDSS rootkit, which is known for its advanced anti-detection techniques and ability to compromise computer systems, while it’s important to take immediate action to remove this file from the system and prevent further damage.

RansomHub, exploiting compromised security, attempted to deploy LaZagne, a credential-harvesting tool, to extract sensitive database credentials whose execution resulted in 60 file writes, likely storing harvested credentials, and 1 file deletion, potentially to cover up traces. 

Accessing database credentials could have granted RansomHub significant control over critical infrastructure and facilitated privilege escalation within the compromised network.

Process Graph

The provided information indicates the presence of a potentially malicious executable file named “LaZagne.exe.,” which has a SHA-256 hash of 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486, a file size of 9.66 MB, and an MD5 hash of 5075f994390f9738e8e69f4de09debe6. 

Given the file name and the associated hashes, it’s highly likely that this executable is designed to extract credentials from various sources, including web browsers, email clients, and password managers, making it a significant security threat.

Threat Down identified security software (TDSSKiller) flagged as a risk and a credential stealer (LaZagne) to improve ransomware defense and to tighten EDR posture: Limit vulnerable driver usage (like TDSSKiller, especially with suspicious flags) through BYOVD controls. 

Network segmentation can also isolate critical systems, preventing attackers with stolen credentials from reaching sensitive data by restricting lateral movement within the network.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...