The RansomHub ransomware gang has been using Kaspersky’s TDSSKiller, a legitimate tool designed to scan for rootkits and bootkits, to disable endpoint detection and response (EDR) services on target systems. After taking down the defenses, RansomHub deployed the LaZagne credential-harvesting tool to extract logins from various application databases that could help them move laterally on the network. EDR agents operate at the kernel level, monitoring and controlling low-level system activities such as file access, process creation, and network connections.
They provide real-time protection against threats like ransomware. Cybersecurity company Malwarebytes observed RansomHub abusing TDSSKiller to interact with kernel-level services using a command line script or batch file, disabling the Malwarebytes Anti-Malware Service (MBAMService) on the machine. The legitimate tool was employed following the reconnaissance and privilege escalation phase, executed from a temporary directory using a dynamically generated filename.
Being a legitimate tool signed with a valid certificate, TDSSKiller does not risk RansomHub’s attack getting flagged or stopped by security solutions.
Disabling EDR with legitimate tools
Next, RansomHub used the LaZagne tool to extract credentials stored in databases.
In the attack investigated by Malwarebytes, the tool generated 60 file writes likely containing logs of stolen credentials. Deleting a file could be an attempt by the attacker to cover their activity on the system. Detecting LaZagne is straightforward as most security tools flag it as malicious.
However, its activity can become invisible if TDSSKiller is used to deactivate the defenses. TDSSKiller is in a gray area, considered ‘RiskWare’ by some security tools, including Malwarebytes’ ThreatDown, which could serve as a red flag to users. The security firm suggests activating the tamper protection feature on the EDR solution to prevent attackers from disabling them with tools like TDSSKiller.
Additionally, monitoring for anomalies such as the ‘-dcsvc’ flag, which disables or deletes services, and the execution of TDSSKiller itself can help detect and block malicious activity.
Johannah Lopez is a versatile professional who seamlessly navigates two worlds. By day, she excels as a SaaS freelance writer, crafting informative and persuasive content for tech companies. By night, she showcases her vibrant personality and customer service skills as a part-time bartender. Johannah's ability to blend her writing expertise with her social finesse makes her a well-rounded and engaging storyteller in any setting.
