The infamous RansomHub ransomware group has been spotted abusing a legitimate Kaspersky tool to disable endpoint detection and response (EDR) tools and then deploy stage-two malware on infected systems without being seen.
Cybersecurity researchers Malwarebytes, who recently spotted the activity in the wild, noted once RansomHub compromises an endpoint and finds a way inside, it first needs to disable any EDR tools before deploying infostealers, or encryptors. In this scenario, the tool they used is called TDSSKiller – Kspersky’s specialized tool designed to detect and remove rootkits, particularly those from the TDSS family (also known as TDL4).
Rootkits are malicious programs that hide their presence on infected systems, making them difficult for standard antivirus software to detect. TDSSKiller can identify and eliminate these deeply embedded threats, helping to restore system security and functionality. The tool is lightweight, easy to use, and can be run alongside other antivirus solutions for added protection.
Deploying LaZagne
Once EDR is out of the way, the group deploys LaZagne, an infostealer capable of grabbing login credentials for various services on the network. This malware extracts all stolen credentials into a single file which, after upload, the group deletes to cover their tracks. With the gained access, they can then deploy the encryptor without fear of being flagged by antivirus programs.
RansomHub is a relatively young ransomware player, who spun from the now defunct ALPHV/BlackCat. The group was an affiliate of ALPHV, and was responsible for the attack at Change Healthcare, which resulted in the healthcare org paying $22 million in ransom. ALPHV operators took all of the money and shut down its infrastructure, leaving RansomHub without their share of the spoils. Since then, the group has been active, compromising dozens of organizations around the world.
Via BleepingComputer
