Widely used employing monitoring software Kickidler has been exploited by Qilin and Hunters International ransomware affiliates to facilitate reconnaissance, activity tracking, and credentials compromise, reports BleepingComputer.
Attackers used malicious Google Ads displayed in search results for the RVTools utility, which redirected to a bogus website with the trojanized Windows utility for VMware vSphere that results in the execution of the SMOKEDHAM PowerShell backdoor and eventual download of Kickidler, according to separate reports from Varonis and Synacktiv. Hunters International was noted by Synacktiv to have utilized a script that activated SSH via VMware PowerCLI and WinSCP Automation before launching the ransomware on ESXi servers. While more network defenders have disconnected backup system authentication from Windows domains amid escalating threats, Kickidler's keystroke logging features have allowed high-level Windows credential access, said Varonis. "This enables attackers to identify off-site cloud backups and obtain the necessary passwords to access them. This is done without dumping memory or other high-risk tactics that are more likely to be detected," Varonis added.
Attackers used malicious Google Ads displayed in search results for the RVTools utility, which redirected to a bogus website with the trojanized Windows utility for VMware vSphere that results in the execution of the SMOKEDHAM PowerShell backdoor and eventual download of Kickidler, according to separate reports from Varonis and Synacktiv. Hunters International was noted by Synacktiv to have utilized a script that activated SSH via VMware PowerCLI and WinSCP Automation before launching the ransomware on ESXi servers. While more network defenders have disconnected backup system authentication from Windows domains amid escalating threats, Kickidler's keystroke logging features have allowed high-level Windows credential access, said Varonis. "This enables attackers to identify off-site cloud backups and obtain the necessary passwords to access them. This is done without dumping memory or other high-risk tactics that are more likely to be detected," Varonis added.
