- The Crypto24 ransomware group was seen deactivating the AV protection before deploying the encryptor
- In some cases, it can even uninstall the AV programs
- A diaper defense is the best approach to mitigate the threat
Security researchers have found another antivirus killers tool that hackers use before deleting additional useful loads.
Trend Micro experts have discovered a personalized variant of the open source tool called Realblindingedr.
This tool is delivered with a list coded in hard names antivirus:
Micro trend
Kaspersky
Sophos
Sentinel
Malwarebytes
Cynet
McAfee
Bitdefender
Broadcom (Symantec)
Cisco
Ripe
Acronis
When deployed on a device, he searches for these names in the pilot’s metadata, and if he finds one, he deactivates hooks / reminders at the nucleus, essentially blinding detection engines. Trend micro researchers have found that hackers are also able to silently uninstall antivirus programs, open doors and allow easy deployment of the scene malware.
Crypto24
The tool was seen in nature, used by a hacking collective called Crypto24, an emerging ransomware group spotted for the first time in September 2024.
However, researchers think that the group consists of former members of other deceased hacking collectives, because its members are highly qualified and experienced.
When it earns initial access, establishes persistence and removes antivirus road dams, the group generally deploys two malicious parts – a keylogger and a cryptor. All stolen secrets are exfiltrated in a Google player using a personalized tool.
The identity or location of Crypto24 is currently unknown. However, researchers say that during its short lifespan, the group has managed to reach a number of major organizations in the United States, Europe and Asia. Most of their objectives are in finance, manufacturing, technology and entertainment.
There are many ways to protect yourself from attacks that seek to deactivate antivirus protection, especially opt for a stratical defense strategy.
Companies can use a renowned antivirus with sabotage protection, allow protection and firewalls in real time, and use a separate anti-malware tool that can operate alongside an AV.
Via Bleeping Compompute
