1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Popular employee monitoring software hijacked to launch ransomwar

    From TechnologyDaily@1337:1/100 to All on Friday, May 09, 2025 17:30:08
    Popular employee monitoring software hijacked to launch ransomware attacks

    Date:
    Fri, 09 May 2025 16:21:00 +0000

    Description:
    Multiple research groups finds ransomware groups are abusing Kickidler to run attacks.

    FULL STORY ======================================================================Hackers are using backdoors to drop Kickidler, a legitimate employee monitoring tool The tool is used to obtain login credentials and deploy an encryptor
    VMwaare's ESXi servers are being targeted

    Kickidler, a popular employee monitoring tool, is being abused in ransomware attacks, multiple security researchers have warned.

    The software was designed for businesses, allowing them to oversee their employees productivity, ensure compliance, and detect insider threats. Some
    of its key features are real-time screen viewing, keystroke logging, and time tracking, with the former two being particularly interesting to cybercriminals.

    Researchers from Varonis and Synacktiv, who claim to have seen the attacks in the wild, say it all starts with a poisoned ad purchased on the Google Ads network. The ad is displayed to people searching for RVTools, a free Windows-based utility that connects to VMware vCenter or ESXi hosts. The ad leads to a trojanized version of the program, which deploys a backdoor called SMOKEDHAM. Cloud backups in the crosshairs

    With the help of the backdoor, threat actors deploy Kickidler, specifically targeting enterprise administrators and many of the login credentials they
    use every day. The goal is to infiltrate into every corner of the network and ultimately deploy the encryptor.

    The two groups seen using Kickidler are Qilin and Hunters International,
    which seem focused on cloud backups, but seem to have hit a roadblock,
    Varonis said.

    "Given the increased targeting of backup solutions by attackers in recent years, defenders are decoupling backup system authentication from Windows domains. This measure prevents attackers from accessing backups even if they gain high-level Windows credentials," Varonis told BleepingComputer .

    "Kickidler addresses this issue by capturing keystrokes and web pages from an administrator's workstation. This enables attackers to identify off-site
    cloud backups and obtain the necessary passwords to access them. This is done without dumping memory or other high-risk tactics that are more likely to be detected."

    The payloads targeted VMware ESXi infrastructure, the researchers added, encrypting VMDK virtual hard drives. Hunters International used VMware PowerCLI and WinSCP Automation to enable SSH, drop the ransomware, and run it on ESXi servers. You might also like Immutable backup storage is the best protection against ransomware, but many businesses dont have it Take a look
    at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/popular-employee-monitoring-software-hi jacked-to-launch-ransomware-attacks


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)