129. Ransomware Operators Abuse Employee Monitoring Software
Hello everyone!
Here's another curious case of legitimate software abuse. According to Synactiv report, Hunters International use KickIdler, a legitimate employee monitoring software, to spy on the victim, perform reconnaissance and credential harvesting.
This tool, for example, allows the threat actors to perform keylogging, screen capture, audio capture, enables remote control, and provides other interesting features from attacker's perspective.
First of all, we can hunt for files with related signature:
event_type: "processcreatewin"
AND
proc_file_sig: "TELE LINK SOFT (TLS) CY LTD"
Next, we can hunt for related DNS queries:
event_type: "dnsreqwin"
AND
dns_rname: "my.kickidler.com"
You can also hunt for file creation events in the tool-related folders:
event_type: "filecreatewin"
AND
file_path: "TeleLinkSoftHelper"
See you tomorrow!
Comments
Post a Comment