- Hackers are using backdoors to drop Kickidler, a legitimate employee monitoring tool
- The tool is used to obtain login credentials and deploy an encryptor
- VMwaare’s ESXi servers are being targeted
Kickidler, a popular employee monitoring tool, is being abused in ransomware attacks, multiple security researchers have warned.
The software was designed for businesses, allowing them to oversee their employees’ productivity, ensure compliance, and detect insider threats. Some of its key features are real-time screen viewing, keystroke logging, and time tracking, with the former two being particularly interesting to cybercriminals.
Researchers from Varonis and Synacktiv, who claim to have seen the attacks in the wild, say it all starts with a poisoned ad purchased on the Google Ads network. The ad is displayed to people searching for RVTools, a free Windows-based utility that connects to VMware vCenter or ESXi hosts. The ad leads to a trojanized version of the program, which deploys a backdoor called SMOKEDHAM.
Cloud backups in the crosshairs
With the help of the backdoor, threat actors deploy Kickidler, specifically targeting enterprise administrators and many of the login credentials they use every day. The goal is to infiltrate into every corner of the network and ultimately deploy the encryptor.
The two groups seen using Kickidler are Qilin and Hunters International, which seem focused on cloud backups, but seem to have hit a roadblock, Varonis said.
“Given the increased targeting of backup solutions by attackers in recent years, defenders are decoupling backup system authentication from Windows domains. This measure prevents attackers from accessing backups even if they gain high-level Windows credentials,” Varonis told BleepingComputer.
“Kickidler addresses this issue by capturing keystrokes and web pages from an administrator’s workstation. This enables attackers to identify off-site cloud backups and obtain the necessary passwords to access them. This is done without dumping memory or other high-risk tactics that are more likely to be detected.”
The payloads targeted VMware ESXi infrastructure, the researchers added, encrypting VMDK virtual hard drives. Hunters International used VMware PowerCLI and WinSCP Automation to enable SSH, drop the ransomware, and run it on ESXi servers.
