The Misuse of Kickidler in Ransomware Attacks: A Growing Cybersecurity Concern

The exploitation of Kickidler, a legitimate employee monitoring software, by ransomware operators has raised significant concerns in the cybersecurity community. Originally designed to enhance workplace productivity, this software is now being repurposed by cybercriminals for malicious activities such as reconnaissance and credential harvesting. Notably, ransomware groups like Qilin and Hunters International have been observed installing Kickidler on compromised networks to capture keystrokes, take screenshots, and create screen recordings. This allows them to monitor victim activity and harvest sensitive credentials without resorting to high-risk tactics that are more likely to be detected (Varonis).

Abuse of Kickidler in Ransomware Attacks

Reconnaissance and Credential Harvesting

Kickidler, a legitimate employee monitoring software, is being exploited by ransomware operators for reconnaissance and credential harvesting. Cybersecurity firms, such as Varonis and Synacktiv, have observed ransomware affiliates like Qilin and Hunters International installing Kickidler on compromised networks. This software can capture keystrokes, take screenshots, and create screen recordings, allowing attackers to monitor victim activity and harvest credentials. This capability is particularly dangerous as it enables attackers to gather sensitive information without resorting to high-risk tactics like memory dumping, which are more likely to be detected.

Targeting Backup Solutions

Attackers have increasingly targeted backup solutions, prompting defenders to decouple backup system authentication from Windows domains. Despite these precautions, Kickidler’s ability to capture keystrokes and web pages from an administrator’s workstation enables attackers to identify off-site cloud backups and obtain necessary passwords. This capability poses a significant threat as it allows attackers to access backups even after gaining high-level Windows credentials. The ransomware operators then deploy payloads targeting victims’ VMware ESXi infrastructure, encrypting VMDK virtual hard disk drives and causing widespread disruption (BleepingComputer).

Deployment Techniques

The deployment of Kickidler in ransomware attacks often involves sophisticated techniques. For instance, Hunters International used VMware PowerCLI and WinSCP Automation to enable SSH services, deploy ransomware, and execute it on ESXi servers (Synacktiv). This method highlights the attackers’ ability to leverage legitimate tools for malicious purposes. Additionally, ransomware gangs have a history of abusing legitimate remote monitoring and management (RMM) software. As noted by CISA, the NSA, and MS-ISAC in a January 2023 joint advisory, attackers often trick victims into installing portable remote desktop solutions to bypass software controls and take over systems without requiring admin privileges.

SEO Poisoning and Initial Access

One tactic employed by attackers involves SEO poisoning to gain initial access. Threat actors have been known to manipulate Google Ads to display malicious advertisements when users search for specific tools like RVTools, a utility for managing VMware vSphere deployments. Clicking on these ads leads users to fake websites, such as rv-tool[.]net, which promote trojanized versions of the software. These versions act as malware loaders, downloading and executing backdoors like SMOKEDHAM PowerShell .NET, which in turn deploy Kickidler on the device (Varonis). This method allows attackers to maintain access to compromised systems for extended periods, collecting credentials needed to access off-site cloud backups without detection.

Implications and Defensive Measures

The abuse of Kickidler in ransomware attacks underscores the importance of robust cybersecurity measures. Organizations must adopt a “Defense in Depth” strategy, ensuring comprehensive security across all layers of cybersecurity, from human elements to data and mission-critical assets (Varonis). Key defensive recommendations include enhancing monitoring, implementing additional defensive measures, and automating threat detection and response. By doing so, organizations can rapidly detect, contain, and evict threat actors, minimizing the impact of ransomware attacks.

In summary, the exploitation of Kickidler in ransomware attacks highlights the evolving tactics of cybercriminals and the need for organizations to remain vigilant. By understanding these threats and implementing robust security measures, organizations can better protect themselves against the growing threat of ransomware.

Final Thoughts

The misuse of Kickidler in ransomware attacks underscores the evolving tactics of cybercriminals and the critical need for organizations to bolster their cybersecurity defenses. By understanding these threats and implementing robust security measures, such as a “Defense in Depth” strategy, organizations can better protect themselves against the growing threat of ransomware. This involves enhancing monitoring, automating threat detection, and ensuring comprehensive security across all layers of cybersecurity (Varonis). As cyber threats continue to evolve, staying informed and vigilant is essential for minimizing the impact of such attacks.

References

• Varonis. (2023). Kickidler employee monitoring software abused in ransomware attacks. https://www.bleepingcomputer.com/news/security/kickidler-employee-monitoring-software-abused-in-ransomware-attacks/
• Synacktiv. (2023). Kickidler employee monitoring software abused in ransomware attacks. https://www.bleepingcomputer.com/news/security/kickidler-employee-monitoring-software-abused-in-ransomware-attacks/
• BleepingComputer. (2023). Kickidler employee monitoring software abused in ransomware attacks. https://www.bleepingcomputer.com/news/security/kickidler-employee-monitoring-software-abused-in-ransomware-attacks/
• Varonis. (2023). SEO poisoning. https://www.varonis.com/blog/seo-poisoning