Infamous ransomware group RansomHub has been caught abusing a legitimate Kaspersky tool to disable Endpoint Detection and Response (EDR) tools and then install stage two malware on infected systems without detection.
Cybersecurity researchers Malwarebytes, who recently spotted the activity in the wild, noted that once RansomHub compromises an endpoint and finds a way to get in, it must first disable any EDR tools before deploying infostealers or encryptors. In this scenario, the tool they used is called TDSSKiller – Kspersky’s specialized tool designed to detect and remove rootkits, specifically those from the TDSS family (also known as TDL4).
Rootkits are malicious programs that hide their presence on infected systems, making them difficult to detect by standard antivirus software. TDSSKiller can identify and eliminate these deep-rooted threats, helping to restore system security and functionality. The tool is lightweight, easy to use, and can be run alongside other antivirus solutions for additional protection.
Implement LaZagne
Once EDR is out of the way, the group deploys LaZagne, an infostealer that can steal credentials for various services on the network. This malware extracts all of the stolen credentials into a single file that the group deletes after uploading to cover their tracks. With this access, they can then deploy the encryptor without fear of being flagged by antivirus programs.
RansomHub is a relatively young ransomware player, having spun off from the now defunct ALPHV/BlackCat. The group was a subsidiary of ALPHV and was responsible for the attack on Change Healthcare, which resulted in the healthcare organization paying a $22 million ransom. ALPHV operators took all the money and shut down the infrastructure, leaving RansomHub without their share of the loot. The group has been active ever since, compromising dozens of organizations around the world.
Via BleepingComputer