- The hackers use repoteridler terminals, a legitimate employee surveillance tool
- The tool is used to obtain connection identification information and deploy an encryptor
- VMWAARE ESXXI servers are targeted
Kickidler, a popular employee surveillance tool, is abused in ransomware attacks, have warned several security researchers.
The software has been designed for companies, allowing them to supervise the productivity of their employees, to ensure compliance and to detect threats of initiates. Some of its main features are real -time screen visualization, touches journalization and time monitoring, the first two being particularly interesting for cybercriminals.
Researchers from Varonis and Synacktiv, who claim to have seen the attacks in the wild, say that it all starts with a poisoned announcement bought on the Google Ads network. The announcement is displayed for people looking for rvtools, a free Windows utility that connects to VMware VCENTER or ESXI hosts. The announcement leads to a trojanized version of the program, which deploys a stolen door called Smokedham.
Backups of the clouds in the reticle
With the help of the stolen door, threat stakeholders deploy Kididler, specifically targeting business administrators and many of the connection identification information they use every day. The objective is to infiltrate in all corners of the network and finally deploy the encryptor.
The two groups seen using Kickidler are Qilin and Hunters International, which seem to focus on cloud backups, but seem to have hit a roadblock, said Varonis.
“Given the increase in the targeting of safeguarding solutions by the attackers in recent years, the defenders have gathered the authentication of the Windows domains backup system. This measure prevents attackers from accessing backups even if they get high -level Windows references,” said Varonis Bleeping Compompute.
“Kididler addresses this problem by capturing keys and web pages of an administrator’s workstation. This allows attackers to identify off -site cloud backups and get the necessary passwords to access them.
The useful expenses targeted the VMware ESXI infrastructure, added the researchers, encrypting vmdk virtual hard drives. Hunters International used VMware PowerCli and Winscp Automation to allow SSH, deposit ransomware and execute it on ESXI servers.
