Saturday , June 21 2025
Coding

New RansomHub Attack Kill Kaspersky’s TDSSKiller To Disable EDR

Threatdown Managed Detection and Response (MDR) team has discovered the RansomHub ransomware gang using a new attack method wityh two tools: TDSKiller, to disable EDR system, and LaZagne, for stealing credentials.

Although both TDSSKiller and LaZagne have been used by attackers for years, this is the first record of RansomHub using them in its operations, with the TTPs not listed in CISA’s recently published advisory on RansomHub. The tools were deployed following initial reconnaissance and network probing through admin group enumeration, such as net1 group “Enterprise Admins” /do.

Russia detects first SuperCard malware attacks via NFC

Russian cybersecurity experts discovered the first local data theft attacks using a modified version of legitimate near field communication (NFC)...
Read More
Russia detects first SuperCard malware attacks via NFC

Income Property Investments exposes 170,000+ Individuals record

Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...
Read More
Income Property Investments exposes 170,000+ Individuals record

ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...
Read More
ALERT (CVE: 2023-28771)  Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs

CISA Flags Active Exploits in Apple iOS and TP-Link Routers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...
Read More
CISA Flags Active Exploits in Apple iOS and TP-Link Routers

10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

SafetyDetectives’ Cybersecurity Team discovered a public post on a clear web forum in which a threat actor claimed to have...
Read More
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online

Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems

WestJet, Canada's second-largest airline, is looking into a cyberattack that has affected some internal systems during its response to the...
Read More
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems

Paraguay 7.4 Million Citizen Records Leaked on Dark Web

Resecurity found 7.4 million records of Paraguayan citizens' personal information leaked on the dark web today. Last week, cybercriminals attempted...
Read More
Paraguay 7.4 Million Citizen Records Leaked on Dark Web

High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation

HashiCorp has revealed a critical vulnerability in its Nomad tool that may let attackers gain higher privileges by misusing the...
Read More
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation

SoftBank: Over 137,000 personal info leaked

SoftBank has disclosed that personal information of more than 137,000 mobile subscribers—covering names, addresses, and phone numbers—might have been leaked...
Read More
SoftBank: Over 137,000 personal info leaked

Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code

Serious security vulnerabilities in Trend Micro Apex One could allow attackers to inject malicious code and elevate their privileges within...
Read More
Alert  Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code

TDSSKiller: 

RansomHub conducted reconnaissance and privilege enumeration, then tried to disable security services using
TDSKiller, a legitimate kaspersky tool for removing rootkits. It can also disable EDR software via a command line script or batch file.

Source: Threatdown by Malwarebites

RansomHub used TDAKiller to disable crucial security services like Malwarebytes. The attacker succedd because
they had admin priviliges, despite anti-tampering protections.

Command line details:
* Command line: tdsskiller.exe -dcsvc MBAMService
* The -dcsvc flag was used to target specific services. In this instance, attackers attempted to disable MBAMService.
*File path: The attackers attempted to run TDSSKiller from a temporary directory (C:\Users\<User>\AppData\Local\Temp\), with a dynamically generated filename like {89BCFDFB-BBAF-4631-9E8C-P98AB539AC}.exe.

Source: Threatdown by Malwarebites

IOCs
File Name: TDSSKiller.exe

SHA-256: 2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009

File Size: 4.82 MB

MD5: ff1eff0e0f1f2eabe1199ae71194e560

LaZagne:

RansomHub tried to use LaZagne, a tool for stealing credentials, to access stored login info from the compared
system. LaZagne helps attackers retrive credentials from various applications like browsers, email, and database
, enabling them to naviagate through the network more easily.

Command line details:

    • Command line: LaZagne.exe database
      * The attackers specifically targeted database credentials, a key asset in their broader plan to access critical infrastructure and escalate privileges. Database credentials can grant attackers control over sensitive data or administrative access to critical systems.
      * File write and delete activity: LaZagne generated 60 file writes and 1 file deletion during its execution. These writes were likely logs of extracted credentials, while the deletion likely served to cover up traces of the credential-harvesting operation.IOCs
      File Name: LaZagne.exe

      SHA-256: 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486

      File Size: 9.66 MB

      MD5: 5075f994390f9738e8e69f4de09debe6

      (Source: Threatdown by Malwarebytes)

Check Also

internal systems

Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems

WestJet, Canada’s second-largest airline, is looking into a cyberattack that has affected some internal systems …

Leave a Reply

Your email address will not be published. Required fields are marked *