- The ransomware group Crypto24 was seen disabling AV protection before implementing the encrypper
- In some cases, you can even uninstall AV programs
- A defense in layers is the best approach to mitigate the threat
Security researchers have found another antivirus kill tool that hackers are using before dropping additional useful loads.
Trend Micro experts have discovered a personalized variant of the open source tool called Realblindingr.
This tool comes with a coded list of names of the antivirus company:
Micro trend
Kaspersky
Sophos
Sentinel
Malwarebytes
Cynet
McAfee
Bits defender
Broadcom (Symantec)
Cisco
Fortinet
Acronis
When implemented on a device, look for these names in driver’s metadata, and if you find one, disable hooks/calls of call at the core level, essentially blinding detection engines. Trend Micro researchers discovered that computer pirates can also silently uninstall the antivirus programs completely, opening the doors and allowing an easy implementation of stage malware and two.
Crypto24
The tool was seen in nature, used by a piracy collective called Crypto24, a group of nascent ransomware that was first seen in September 2024.
However, researchers believe that the group consists of former members of other missing piracy groups, since its members are highly qualified and experienced.
When it gains initial access, it establishes persistence and eliminates antivirus obstacles, the group generally displays two pieces of malware: a keylogger and an encryption. All stolen secrets are exfiltrated in a Google unit using a personalized tool.
The identity, or location, of Crypto24 is currently unknown. However, researchers say that in their brief useful life, the group successfully reached several large organizations in the United States, Europe and Asia. Most of its objectives are in finance, manufacturing, technology and entertainment.
There are many ways to protect against attacks that seek to disable antivirus protection, including the option to opt for a layer defense strategy.
Companies can use a good reputation antivirus with manipulation protection, allow real -time protection and firewalls, and use a separate antimalware tool that can work next to an av.
Through Bleepingcomputer
