New Attack Technique Using TDSSKiller and LaZagne Disables EDR
The RansomHub ransomware group has debuted a novel attack strategy, using a combination of tools to disable endpoint detection and response (EDR) systems and steal credentials. This is a change in its tactics, techniques, and procedures (TTPs), expanding its capabilities in the cybercrime landscape.
Malwarebytes ThreatDown Managed Detection and Response (MDR) team recently uncovered this new method, which involves the use of two well-known tools: TDSSKiller, a legitimate rootkit removal utility developed by Kaspersky, and LaZagne, a credential-harvesting tool.
While malicious actors have used both tools for years, this is the first time RansomHub has used them in its operations, a development not yet covered in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) advisory on the group.
A New Offensive Strategy
The attack begins with reconnaissance and network probing. RansomHub conducts privilege enumeration through admin group commands, targeting high-privilege accounts such as the “Enterprise Admins” group.
Once reconnaissance is complete, the group deploys TDSSKiller in an attempt to disable critical security services, effectively neutralizing the system’s defenses.
The ransomware gang’s technique mirrors that of the LockBit ransomware group, which also uses TDSSKiller’s “-dcsvc” flag to delete services and remove security-related registry keys.
Credential Harvesting with LaZagne
After disabling the security systems, RansomHub deployed LaZagne, a tool known for extracting credentials from a range of applications, such as browsers, databases, and email clients. The attackers specifically focused on harvesting database credentials to get their hands on sensitive data and escalate their privileges within the compromised network.
LaZagne’s ability to retrieve credentials from multiple sources dramatically improves RansomHub’s ability to move laterally within the victim’s network, a serious risk to critical infrastructure and sensitive data.
Mitigation Strategies
To defend against these sophisticated attacks, ThreatDown offers several recommendations:
- Restrict BYOVD (Bring Your Own Vulnerable Driver) Exploits: Implement strict controls on vulnerable drivers like TDSSKiller, particularly when executed with suspicious command-line flags. This helps prevent malicious actors from using legitimate tools for nefarious purposes.
- Isolate Critical Systems: Network segmentation is crucial for preventing lateral movement. Organizations can limit the damage by isolating key systems even if attackers manage to harvest credentials.
This incident highlights RansomHub’s continued evolution and the increasing complexity of modern ransomware attacks. As the group refines its tactics, entities must stay vigilant and implement robust security protocols to stay ahead of emerging threats.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.