129. Ransomware Operators Abuse Employee Monitoring Software

Hello everyone!

Here's another curious case of legitimate software abuse. According to Synactiv reportHunters International use KickIdler, a legitimate employee monitoring software, to spy on the victim, perform reconnaissance and credential harvesting.

This tool, for example, allows the threat actors to perform keylogging, screen capture, audio capture, enables remote control, and provides other interesting features from attacker's perspective.

First of all, we can hunt for files with related signature:

event_type: "processcreatewin"

AND

proc_file_sig: "TELE LINK SOFT (TLS) CY LTD"

Next, we can hunt for related DNS queries:

event_type: "dnsreqwin"

AND

dns_rname: "my.kickidler.com"

You can also hunt for file creation events in the tool-related folders:

event_type: "filecreatewin"

AND

file_path: "TeleLinkSoftHelper"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge