RansomHub has employed a novel attack method, leveraging TDSSKiller to disable EDR systems and LaZagne to steal credentials, marking a new tactic for RansomHub, previously not documented by CISA. The attack begins with network reconnaissance using admin group enumeration to deploy the tools.
It used TDSSKiller, a legitimate rootkit removal tool, to disable security services on a targeted system, which can also be manipulated to disable EDR software using command-line scripts, potentially allowing RansomHub to execute their malicious payload without detection.
RansomHub used TDSSKiller to deactivate Malwarebytes Anti-Malware Service, a crucial security component, potentially compromising the system’s defenses against malicious software.
The attacker used the tdsskiller.exe tool to disable the MBAMService. The -dcsvc flag was used to specify the target service, which is likely part of an attempt to compromise the system’s security and gain unauthorized access.
They tried to execute the TDSSKiller tool from a temporary folder using a randomly generated filename, which suggests they may have attempted to disguise their malicious activity or avoid detection by security software.
The LockBit ransomware gang is using the TDSSKiller tool with the “-dcsvc” parameter to delete Windows Defender Antimalware Client, effectively disabling antivirus protection before launching their attack, which allows them to operate more freely and increases their chances of successful encryption.
The provided file, TDSSKiller.exe, is a malicious executable with a size of 4.82 MB, which has the following cryptographic hashes: SHA-256: 2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009 and MD5: ff1eff0e0f1f2eabe1199ae71194e560, it is likely associated with the TDSS rootkit, a complex malware family known for its persistence and stealthy behavior.
RansomHub tried to use LaZagne, a credential-harvesting tool, to steal login information from the compromised system, which can extract credentials from various applications, giving attackers access to more parts of the network.
According to ThreatDown, the attackers executed LaZagne.exe with the database command to extract sensitive database credentials, potentially granting them access to critical infrastructure and elevated privileges.
LaZagne’s activity indicates it successfully harvested credentials from the target system, as the tool wrote 60 log files, likely containing extracted credentials, and deleted one file, possibly to obfuscate its presence.
LaZagne.exe, is a malware tool with a SHA-256 hash of 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486 and a file size of 9.66 MB, which is capable of extracting credentials from various systems and applications, potentially compromising sensitive information.
To prevent ransomware leveraging BYOVD exploits and credential stealers, tighten controls on vulnerable drivers (like TDSSKiller with suspicious flags) and isolate critical systems through network segmentation to restrict lateral movement of attackers with stolen credentials.