Analysis Summary

TDSSKiller is a genuine Kaspersky program that the RansomHub ransomware gang has been utilizing to disable endpoint detection and response (EDR) services on target computers.

Following the breach of the defenses, RansomHub used the LaZagne credential-harvesting tool to obtain login credentials from a variety of application databases to facilitate network lateral movement. TDSSKiller is a tool designed by Kaspersky to check if the system has malware such as rootkits and bootkits, which are extremely hard to find and can avoid detection by conventional security tools.

To provide real-time protection against threats like ransomware, EDR agents are more sophisticated solutions that function, at least in part, at the kernel level. They must monitor and manage low-level system activities including file access, process creation, and network connections. According to the researchers, has been leveraging TDSSKiller to communicate with kernel-level services. This was done by disabling the machine's anti-malware service through a batch file or command line script.

After the reconnaissance and privilege-escalation stages, the legitimate tool was used. It was launched from a temporary directory ('C:\Users\<User>\AppData\Local\Temp\') with a dynamically-generated filename ('{89BCFDFB-BBAF-4631-9E8C-P98AB539AC}.exe'). Since TDSSKiller is a genuine tool that has been signed with a working certificate, there is little chance that security solutions will detect or thwart RansomHub's attack.

Next, RansomHub attempted to retrieve credentials from databases by utilizing the LaZagne tool. The tool produced 60 file writes in the assault that researchers examined, which were probably logs of the credentials that were taken. An attacker may have deleted a file in an attempt to hide their activities on the system. LaZagne is easy to find because it is marked as malicious by the majority of security programs. Nevertheless, if TDSSKiller is utilized to disable the safeguards, its activities may become undetectable.

Given that some security products classify TDSSKiller as "RiskWare," which may raise concerns for users, the tool is in a murky area. The experts advise turning on the EDR solution's tamper protection function to ensure that threat actors can't disable them using programs like TDSSKiller. Furthermore, keeping an eye out for the parameter that deletes or disables services, the "-dcsvc" flag and the actual execution of TDSSKiller can aid in identifying and thwarting malicious behavior.

Impact

• Credential Theft
• Security Bypass
• Data Theft
• Financial Loss

Indicators of Compromise

SHA1

• a3fad01a0c10fde5b38267188860ea1da649697d

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
• Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
• Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Never trust or open links and attachments received from unknown sources/senders.