The cyber criminals launched the tool from a temporary directory using a dynamically generated file name to evade detection. Because TDSSKiller is a legitimate program with a valid certificate, many security systems failed to recognize the malicious intent of the hackers.
Following the disabling of security systems, RansomHub executed the Lazagne tool to extract account data from infected systems. This program retrieves passwords from various applications like browsers, email clients, and databases, enabling attackers to escalate their privileges and navigate through the network. The objective of the cybercriminals in this instance was to gain entry to the database, granting control over critical systems.
Throughout the attack, Lazagne generated more than 60 files containing login information and passwords. In an attempt to cover their tracks, the hackers deleted certain files post-operation.
While detecting Lazagne is relatively straightforward as most antivirus software identifies it as malicious, if TDSSKILLER was utilized to bypass protection systems, the malicious activity goes unnoticed by most tools.
Threatdown is advising organizations to implement additional security measures to safeguard against such attacks. Recommendations include limiting the use of vulnerable drivers like TDSSKILLER, monitoring suspicious commands within systems, and segmenting networks to isolate critical systems, thereby reducing the risk of compromised account data.