To bypass the antivirus on your Windows computer, cybercriminals are increasingly using legitimate administration tools. These tools allow hackers to act without being detected.
Seqrite researchers have discovered that cybercriminals are exploiting legitimate Windows tools to orchestrate ransomware attacks. According to experts, hackers have found a way to disable a computer’s antivirus to achieve their ends without finding themselves facing a wall.
Among the tools that are massively misused by hackers, we find administration softwaremainly intended for IT teams. They are used in particular to manage processes, unblock files or intervene on the system. The Seqrite report mentions, for example, Process Hacker, IOBit Unlocker, PowerRun, AuKill, YDArk and even TDSSKiller. Of the “Utilities once considered reliable have now become some of the most dangerous enablers of computer attacks.”explains Seqrite.
Also read: Lockbit is back in force with a 5th version of its ransomware
How ransomware kings exploit legitimate Windows tools?
According to investigations carried out by Seqrite, several géants du ransomwarelike LockBit 3.0, BlackCat, Dharma, Phobos or MedusaLocker, have made a habit of hijacking Windows administration tools. Hackers even go so far as to include the initially legitimate tools in their ready-to-use hacking kits. These kits are sold to hackers through subscriptions.
Cybercriminals typically follow a multi-step plan to hack a system. They start by doing some scouting: they look at how the company is configured, where passwords are weakest, and what security software is poorly set or out of date. Then they will disarm the machine protections…in particular the antivirus, « sans déclencher d’alerte ». They will use tools like IOBit Unlocker or TDSSKiller to delete files from security solutions and deactivate all components running in the background… By cleaning up the files and components of the antivirus, they will prevent it from restarting the next time the machine starts.
“Tools created to solve problems can just as easily become weapons for dismantling security, without raising any alarmsâ€declare the researchers.
Once the defenses have fallen, they move on to the second phase… of the plan. Hackers will steal passwords from memory and plant viruses at the lowest level of Windows to fly under the radar. Ultimately, they are able to deploy the ransomware on the machine without alerting the antivirus. In “By neutralizing these protections, attackers create a silent zone where ransomware can run undetected.”. Before leaving, they clean up the logs and technical traces, in order to complicate the work of investigators and make the attack more difficult to understand.
The increasingly massive use of legitimate tools in ransomware attacks greatly complicates the task of security experts and antiviruses. Most of the administration tools used go under the radar of traditional security policies. This is why pirates are using it more and more to achieve their ends. To combat the trend, Seqrite researchers recommend that security solutions track anomalous behavior, rather than focusing on identifying software.
💉🠻 Follow tech news in real time: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
Source :
Seqrite
