New research from Seqrite explains the ‘dual-use dilemma,’ where ransomware attackers repurpose legitimate IT tools like IOBit Unlocker and Process Hacker. Learn how these trusted utilities are used to bypass antivirus protections and achieve high-level system control during cyberattacks.
Cybersecurity researchers at Seqrite, the enterprise arm of Quick Heal Technologies, say attackers have changed how they operate, turning ransomware into more than just malware.
Unlike before, they’re increasingly using common IT tools to gain access to systems. Seqrite calls this a “dual-use dilemma”, where software meant to troubleshoot and fix systems is being turned against them to bypass defenses.
Turning Help into Harm
Hackers are increasingly using low-level tools, utilities with deep access to the operating system. For instance, programs like Process Hacker or IOBit Unlocker were originally designed to help technicians troubleshoot systems or delete stubborn files.
However, the investigation revealed that attackers now use them to silently kill antivirus software. These tools have already been spotted in the wild; for instance, IOBit Unlocker has been used in LockBit Black 3.0 and Dharma campaigns, while Process Hacker is a favourite for Phobos and Makop operators.
It must be noted that these tools are usually ‘digitally signed,’ which means your computer trusts them as safe software, and this allows hackers to hide in plain sight. As per Seqrite’s blog post, “today’s adversaries act more like penetration testers with bad intentions,” using these trusted tools to create a silent zone where they can work without triggering any alarms.
A Step-by-Step Takeover
As we know it, a ransomware attack follows a specific path called a kill chain, and this attack is no different. It typically begins with a simple phishing email or stolen credentials, and after gaining a foothold, hackers use tools like PowerRun or YDArk to gain SYSTEM-level or kernel-level control. These terms refer to the most powerful permissions a computer offers, sitting right at the heart of the operating system.
Researchers found that the attack often happens in two distinct stages. First, attackers use “process killers” like ProcessKO or 0th3r_av5.exe (frequently seen in MedusaLocker attacks) to shut down antivirus monitoring. Researchers believe this ensures the “ransomware can run undetected.”
Once the antivirus is dead, they move to the second stage, using tools like Mimikatz, used recently by INC Ransomware, to steal passwords and Unlock_IT to erase logs. This removes forensic evidence, making the attack harder to track.
The Future of the Threat
The evolution of these attacks is worrying. While older ransomware relied on simple commands, modern versions use automated kits known as Ransomware-as-a-Service (RaaS), such as LockBit 3.0 or BlackCat. These kits now come pre-packaged with antivirus-killing features.
Looking ahead, researchers expect to see more AI-assisted methods where software automatically chooses the best way to disable your security, indicating that the very tools we trust to manage our devices have become the perfect disguises for digital intruders.
