TDSSKiller is a free utility developed by Kaspersky Lab that is designed to detect and remove rootkits, a type of malware that can hide the existence of other malware on the affected system. It is a powerful free tool for quickly detecting and removing rootkits like TDSS.
Recently, cybersecurity researchers at ThreatDown discovered a new RansomHub attack that has been killing Kaspersky’s TDSSKiller to disable EDR.
Killing Kaspersky’s TDSSKiller
The new attack strategy employed by the RansomHub ransomware gang leverages two tools:-
TDSSKiller, which is a legitimate Kaspersky rootkit removal utility that is repurposed to disable endpoint detection and response (EDR) systems.LaZagne is used to harvest credentials.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
The attack is initiated with network reconnaissance, which includes enumerating the admin group using commands such as “net1 group ‘Enterprise Admins’ /do.”
While following this, RansomHub seeks to disable critical security services like the Malwarebytes Anti-Malware Service (MBAMService). Here it does so by using the TDSSKiller via command line scripts or batch files.
Certainly, using these tactics and tools is quite new for RansomHub as it has not been previously described in the recently issued advisory on RansomHub’s activities made by Cybersecurity and Infrastructure Security Agency (CISA).
However, researchers said the usage of TDSSKiller and LaZagne is not new and has been exploited by several threat actors over the years.
This is the first time such tools have been observed for use in RansomHub’s operation, which is an indication of change in the group’s attacks and tactics.
To compromise the system, the threat actors employed an approach that is multi-step in nature.
Initially, the legitimate anti-rootkit tool, “TDSSKiller” is executed by the threat actors with “tdsskiller.exe -dcsvc MBAMService” command from a temporary directory (C:Users
This same tactic was also observed in LockBit ransomware attacks. In these attacks, it removes registry keys and executables associated with the targeted service.
After that, they deployed a credential-harvesting tool dubbed “LaZagne,” using the command “LaZagne.exe database” to specifically extract database credentials.
LaZagne’s execution resulted in 60 file writes, presumably logs of extracted credentials, and 1 file deletion, likely to cover their tracks and traces.
These two attacks aimed to disable security measures and gain access to sensitive credentials, potentially enabling lateral movement within the network and access to critical systems.
Mitigations
Here below we have mentioned all the mitigations:-
- Restrict Bring Your Own Vulnerable Driver (BYOVD) exploits
- Isolate critical systems
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar