- Computer pirates are using the rear doors to release Kickidler, a legitimate employee monitoring tool
- The tool is used to obtain login credentials and implement an encrucador
- Vmwaare’s Esxi servers are being attacked
Kickidler, a popular employee monitoring tool, is being abused in ransomware attacks, warned multiple security researchers.
The software was designed for companies, which allowed them to supervise the productivity of their employees, guarantee compliance and detect internal threats. Some of its key features are real -time screen visualization, key pulsation registration and time monitoring, and the previous two are particularly interesting for cybercriminals.
Researchers from Varonis and Synackiv, who claim to have seen the attacks in nature, say that everything begins with an poisoned advertisement purchased in the Google ads network. The announcement is shown to people looking for RVTools, a free windows -based free utility that connects to VMware VCenter or ESXI hosts. The announcement leads to a Trojanized version of the program, which displays a rear door called Smokedham.
Cloud backup copies
With the help of the rear door, threat actors implement Kickidler, specifically aimed at business administrators and many of the login credentials that use every day. The objective is to infiltrate each corner of the network and finally implement the encrypper.
The two groups seen using Kickidler are Qilin and Hunters International, which seem focused on cloud backs, but seem to have hit an obstacle, said Men.
“Given the greatest orientation of support solutions by the attackers in recent years, the defenders are decoupling the authentication of the Windows domain support system. This measure prevents the attackers from accessing backup copies even if they obtain high -level Windows credentials,” Varonis told Men Bleepingcomputer.
“Kickidler addresses this problem by capturing keys and web pages of the workstation of an administrator. This allows attackers to identify cloud backup copies outside the site and obtain the necessary passwords to access them. This is done without downloading memory or other high -risk tactics that are more likely to detect themselves.”
Useful Esxi infrastructure loads aimed at VMware, the researchers added, encrypting VMDK virtual hard drives. Hunters International used VMware PowerCli and Winscp Automation to enable SSH, release the ransomware and execute it on ESXI servers.
