By Guru Baran –
September 23, 2024
The Infection Chain Of The RansomHub Utilizing EDRKillShifte (This makes me nervous for for weak Networks and great Security Products in place)
“The EDRKillShifter tool functions as a “loader” executable, serving as a delivery mechanism for a legitimate driver that is susceptible to abuse to terminate applications related to antivirus solutions”, researchers said.
The RansomHub ransomware exploits the Zerologon vulnerability (CVE-2020-1472). Researchers said that if left unpatched, it might allow attackers to take over a whole network without requiring authentication.
In a particular instance, RansomHub used for batch script files—named “232.bat,” “tdsskiller.bat,” “killdeff.bat,” and “LogDel.bat”—as a form of evasion.
232.bat turns off Windows Defender’s real-time monitoring capability and uses a brute-force attack method called password spraying.
A batch script called tdsskiller.bat is used to disable antivirus software. Killdeff.bat uses advanced methods to hide notifications and enable or disable Windows Defender’s functionality, including obfuscated inline expressions, environment-variable readings, and conditional logic.
Article (https://cybersecuritynews.com/ransomhub-edr-antivirus-bypass/)
Must Read Article
Kaspersky deletes itself, installs UltraAV antivirus without warning: UltraAV force-installed on Kaspersky users’ PCs
By Sergiu Gatlan
September 23, 2024 01:16 PM
Article (https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/)
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishing Simulation & Cyber Security Training
“Where Service and Technical Skills Count”