The infamous RansomHub ransomware group has been spotted abusing a legitimate Kaspersky tool to disable endpoint detection and response (EDR) tools and then deploy stage-two malware on infected systems without being seen.
Cybersecurity researchers Malwarebytes, who recently spotted the activity in the wild, noted once RansomHub compromises an endpoint and finds a way inside, it first needs to disable any EDR tools before deploying infostealers, or encryptors. In this scenario, the tool they used is called TDSSKiller – Kspersky’s specialized tool designed to detect and remove rootkits, particularly those from the TDSS family (also known as TDL4).
