Ransomware Groups Abuse Authorized Software to Evade Security Measures

Post Views: 12

Cyberattackers Evade Detection Using Legitimate IT Tools

Ransomware attackers have evolved their tactics to repurpose legitimate IT tools to bypass antivirus protections and gain system control, according to research conducted by Seqrite, the enterprise arm of Quick Heal Technologies.

The Dual-Use Dilemma

This phenomenon involves hackers leveraging common troubleshooting utilities to evade detection and silence alarms, creating a stealthy environment where they can execute their plans without triggering alarms.

Killing Antivirus Software

Process hacker and IOBit Unlocker, initially designed to assist technicians in resolving system issues, have been co-opted by attackers to kill antivirus software.

Their digital signatures, which indicate they are trustworthy applications, enable hackers to conceal their malicious activities. Cybersecurity researchers observe that today’s adversaries operate more like penetration testers with malicious intent.

The Kill Chain

Phishing or compromised credentials
Deployment of tools like PowerRun or YDArk to acquire SYSTEM-level or kernel-level control
Employment of process killers such as ProcessKO or 0th3r_av5.exe to terminate antivirus monitoring
Utilization of tools like Mimikatz to extract passwords and Unlock_IT to erase logs

This evolving landscape of attacks is concerning, as modern ransomware variants now incorporate automated kits known as Ransomware-as-a-Service (RaaS), which include features that allow them to circumvent antivirus software. Researchers also anticipate the increasing utilization of AI-assisted methods where software automatically selects the optimal strategy to disable security measures.

A Perfect Disguise

The very tools relied upon to manage devices have become ideal disguises for digital intruders, highlighting the need for continuous monitoring and improvement of security protocols.