Ransomware Attackers Use Legitimate Software to Monitor Employees

By Netvora Tech News

---

Criminals are using legitimate software designed to monitor employees to launch ransomware attacks, according to cybersecurity firms Synacktiv and Varonis. The software, known as KickIdler, can record keystrokes, take screenshots, record audio, read the contents of the clipboard, and remotely control the mouse and keyboard. The attacks began when network and system administrators, due to SEO poisoning, downloaded a compromised version of RVTools, a VMWare management tool, onto their systems. The trojanized version of RVTools installed a backdoor, which attackers used to install KickIdler on the systems of the system administrators and steal login credentials. The time between compromising the system administrator's workstation and further actions varied from days to weeks, according to Varonis. The attackers likely used this time to steal additional login credentials. Ultimately, the attackers decided to move laterally from the system administrator's workstation to internal servers, steal data, and finally roll out the ransomware. Synacktiv and Varonis advise, among other things, blocking system tools that attackers can use and training employees to be cautious when downloading software.