The RansomHub ransomware gang has recently been observed using a clever yet concerning tactic to disable Endpoint Detection and Response (EDR) software on targeted systems. By abusing TDSSKiller, a legitimate tool developed by Kaspersky, RansomHub effectively dismantles key security defenses before deploying additional malware to extract sensitive information. This strategy underscores the evolving sophistication of ransomware operators and the ongoing challenge of defending against attacks that exploit legitimate software.
How RansomHub Exploits TDSSKiller
TDSSKiller is a well-known tool designed by Kaspersky to detect and remove rootkits and bootkits, which are particularly stealthy types of malware that operate at the kernel level. This tool is recognized for its ability to interact with low-level system processes, making it an attractive target for abuse by malicious actors looking to disable advanced security mechanisms like EDR software.
EDR solutions typically provide comprehensive security by monitoring low-level system activities, including file access, process creation, and network connections. These solutions are crucial in identifying and stopping ransomware attacks in real-time. However, by leveraging TDSSKiller, RansomHub can interfere with these kernel-level services, effectively neutralizing the advanced protection offered by EDR tools.
According to a recent report by cybersecurity firm Malwarebytes, RansomHub employs TDSSKiller via command line scripts or batch files that disable critical security services. For instance, Malwarebytes observed TDSSKiller being used to deactivate the Malwarebytes Anti-Malware Service (MBAMService), a key defense component on the victim’s machine.
Tactics and Techniques: Execution and Credential Harvesting
After disabling EDR software, RansomHub proceeds with its attack by deploying the LaZagne tool, which is designed to harvest credentials from various application databases. Credential harvesting is a crucial step in ransomware attacks as it facilitates lateral movement within a compromised network, allowing the attackers to escalate privileges and access additional sensitive systems and data.
Malwarebytes’ analysis revealed that RansomHub executed TDSSKiller from a temporary directory with dynamically generated filenames, such as ‘C:\Users<User>\AppData\Local\Temp{89BCFDFB-BBAF-4631-9E8C-P98AB539AC}.exe’. This method not only reduces the likelihood of detection by security software but also minimizes the risk of the attack being flagged due to the use of a legitimate, signed tool.
LaZagne’s deployment typically results in numerous file writes that contain logs of the extracted credentials. In the case observed by Malwarebytes, around 60 file writes were generated, indicating significant data exfiltration. To cover their tracks, attackers often delete these logs post-extraction, making forensic investigations challenging.
Defending Against Abuse of Legitimate Tools
While detecting LaZagne is relatively straightforward, as most security tools identify it as malicious, the situation becomes more complex when legitimate tools like TDSSKiller are abused. TDSSKiller occupies a gray area in cybersecurity—some security products, such as Malwarebytes’ ThreatDown, classify it as ‘RiskWare’. This designation highlights the dual-use nature of such tools, which can be legitimate in one context but harmful in another.
To counteract this threat, security experts recommend several strategies:
Enable Tamper Protection: Activating tamper protection features on EDR solutions can prevent unauthorized modifications or deactivation attempts, even when tools like TDSSKiller are misused. This feature is essential for maintaining the integrity of security defenses in the face of sophisticated attacks.
Monitor Specific Command Parameters: Security teams should monitor for specific parameters associated with malicious activity. For example, the ‘-dcsvc’ flag used by TDSSKiller to disable or delete services can be a tell-tale sign of an attack. Identifying the execution of such commands in real-time allows for prompt intervention before significant damage occurs.
Enhanced Logging and Alerting: Implementing comprehensive logging and alerting mechanisms can help detect when legitimate tools are being used in suspicious ways. This approach enables security teams to differentiate between normal administrative use and potential abuse by malicious actors.
User Education and Awareness: Ensuring that users are aware of the risks associated with dual-use tools like TDSSKiller can also be a valuable defense measure. Educating employees on recognizing signs of compromise and understanding the importance of reporting unusual system behavior can provide an additional layer of protection.
Conclusion
The abuse of legitimate tools like Kaspersky’s TDSSKiller by ransomware gangs such as RansomHub illustrates the increasingly sophisticated tactics employed by cybercriminals. By exploiting trusted software to disable critical security defenses, these attackers gain an upper hand, allowing them to deploy further malicious payloads with minimal resistance. As the cybersecurity landscape continues to evolve, organizations must remain vigilant, continuously updating their defense strategies to counteract these advanced threats. Emphasizing tamper protection, monitoring for unusual tool usage, and fostering a culture of security awareness are key steps in defending against such innovative attack techniques.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : RAMBO Attack: How Radio Signals from RAM Can Breach Air-Gapped Security