Kaspersky security tools hijacked to disable online protection systems

RansomHub is using a legitimate tool to disable EDRs and deploy stage-two malware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The infamous RansomHubransomwaregroup has been spotted abusing a legitimate Kaspersky tool to disable endpoint detection and response (EDR) tools and then deploy stage-twomalwareon infected systems without being seen.

Cybersecurity researchers Malwarebytes, who recently spotted the activity in the wild, noted once RansomHub compromises an endpoint and finds a way inside, it first needs to disable any EDR tools before deploying infostealers, or encryptors. In this scenario, the tool they used is called TDSSKiller - Kspersky’s specialized tool designed to detect and remove rootkits, particularly those from the TDSS family (also known as TDL4).

Rootkits are malicious programs that hide their presence on infected systems, making them difficult for standard antivirus software to detect. TDSSKiller can identify and eliminate these deeply embedded threats, helping to restore system security and functionality. The tool is lightweight, easy to use, and can be run alongside other antivirus solutions for added protection.

Deploying LaZagne

Once EDR is out of the way, the group deploys LaZagne, an infostealer capable of grabbing login credentials for various services on the network. This malware extracts all stolen credentials into a single file which, after upload, the group deletes to cover their tracks. With the gained access, they can then deploy the encryptor without fear of being flagged by antivirus programs.

RansomHub is a relatively young ransomware player, who spun from the now defunct ALPHV/BlackCat. The group was an affiliate of ALPHV, and was responsible for the attack at Change Healthcare, which resulted in the healthcare org paying $22 million in ransom. ALPHV operators took all of the money and shut down its infrastructure, leaving RansomHub without their share of the spoils. Since then, the group has been active, compromising dozens of organizations around the world.

ViaBleepingComputer

More from TechRadar Pro

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case