New RansomHub attack uses TDSKiller and LaZagne, disables EDR

Sept. 11, 2024, 8:54 p.m.

Description

A recent analysis by the ThreatDown MDR team has uncovered a novel attack method employed by the RansomHub ransomware gang. The attackers are utilizing two tools: TDSSKiller, a legitimate Kaspersky rootkit removal utility, to disable endpoint detection and response (EDR) systems, and LaZagne, a credential harvesting tool. This marks the first instance of RansomHub incorporating these tools into their arsenal. The attack begins with network reconnaissance and admin group enumeration, followed by the deployment of TDSSKiller to disable security services like Malwarebytes Anti-Malware Service. Subsequently, LaZagne is used to extract stored credentials from various applications, facilitating lateral movement within the compromised network. The campaign is currently active, prompting the implementation of new detection rules and recommendations for enhanced security measures.

External References

https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/
https://otx.alienvault.com/pulse/66e1fea1c13efefb5eaa6141
Tags
ransomware
credential harvesting
edr
ransomhub
byovd
2024-09-11
lazagne
tdsskiller
network segmentation

Date

  • Created: Sept. 11, 2024, 8:33 p.m.
  • Published: Sept. 11, 2024, 8:33 p.m.
  • Modified: Sept. 11, 2024, 8:54 p.m.

Indicators

  • 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486
  • 2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009
Download all indicators here!

Attack Patterns

  • RansomHub
  • RansomHub
  • T1505.003
  • T1059.003
  • T1087
  • T1562.001
  • T1021
  • T1082
  • T1083
  • T1047
  • T1210
  • T1046
  • T1078
  • T1003