Cyber Attack

New RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

RansomHub has recently employed a novel attack method utilizing TDSSKiller and LaZagne, where TDSSKiller, traditionally used to disable EDR systems, was deployed to compromise network defenses. 

Subsequently, LaZagne was used to harvest credentials from compromised systems, which is unprecedented in RansomHub’s operations and was not documented in CISA’s recent advisory. 

The attack sequence began with reconnaissance activities, including admin group enumeration, to identify vulnerable entry points into the target network.

RansomHub, a malicious software, employed TDSSKiller, a legitimate anti-rootkit tool developed by Kaspersky, to compromise system security. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

After assessing the system’s vulnerabilities and privileges, it exploited TDSSKiller’s capabilities to disable crucial security services, such as Malwarebytes Anti-Malware Service, by executing a command-line script or batch file, which aimed to create a more favorable environment for the ransomware to operate without significant interference from security measures.

disabling EDR software

The attackers executed TDSSKiller with the -dcsvc flag to target the MBAMService and attempted to disable this service, likely to interfere with malware protection. 

The executable was run from a temporary directory with a randomly generated filename, suggesting an attempt to avoid detection, which is common for malware that tries to evade security measures and gain persistence on the system.

LockBit ransomware gang has been exploiting TDSSKiller’s “-dcsvc” parameter to delete Windows services, effectively removing their registry keys and associated executables, which hinders the ability of security software, such as Windows Defender Antimalware Client, to detect and mitigate the ransomware attack. 

By targeting specific services, the attackers can disrupt critical system functions and increase the likelihood of successful data encryption.

Process Graph

TDSSKiller.exe is a malicious executable file whose SHA-256 hash, MD5 hash, and file size are unique identifiers that can be used to detect and block it. 

The file is likely part of the TDSS rootkit, which is known for its advanced anti-detection techniques and ability to compromise computer systems, while it’s important to take immediate action to remove this file from the system and prevent further damage.

RansomHub, exploiting compromised security, attempted to deploy LaZagne, a credential-harvesting tool, to extract sensitive database credentials whose execution resulted in 60 file writes, likely storing harvested credentials, and 1 file deletion, potentially to cover up traces. 

Accessing database credentials could have granted RansomHub significant control over critical infrastructure and facilitated privilege escalation within the compromised network.

Process Graph

The provided information indicates the presence of a potentially malicious executable file named “LaZagne.exe.,” which has a SHA-256 hash of 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486, a file size of 9.66 MB, and an MD5 hash of 5075f994390f9738e8e69f4de09debe6. 

Given the file name and the associated hashes, it’s highly likely that this executable is designed to extract credentials from various sources, including web browsers, email clients, and password managers, making it a significant security threat.

Threat Down identified security software (TDSSKiller) flagged as a risk and a credential stealer (LaZagne) to improve ransomware defense and to tighten EDR posture: Limit vulnerable driver usage (like TDSSKiller, especially with suspicious flags) through BYOVD controls. 

Network segmentation can also isolate critical systems, preventing attackers with stolen credentials from reaching sensitive data by restricting lateral movement within the network.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Aman Mishra

Recent Posts

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

1 day ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

2 days ago

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…

2 days ago

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…

2 days ago

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…

2 days ago

145,000 ICS Systems, Thousands of HMIs Exposed to Cyber Attacks

Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…

2 days ago