Ransomware groups are exploiting legitimate employee monitoring and remote management software like Kickidler to conduct reconnaissance, gather credentials, and deploy ransomware payloads. This abuse allows them to target critical infrastructure such as VMware environments and access backup systems undetected. (Affected: enterprises, government agencies, and their IT systems)
Keypoints :
- Ransomware operators are using legitimate monitoring tools like Kickidler for reconnaissance, credential harvesting, and tracking activity.
- Attackers install Kickidler via malware loaders that deploy trojanized programs, enabling them to capture keystrokes, screenshots, and videos.
- Threat actors target enterprise administrators to access privileged credentials and maintain stealthy long-term access.
- After initial infiltration, attackers deploy payloads onto VMware ESXi servers, encrypting virtual disks and causing system disruptions.
- Sabotage includes targeting off-site cloud backups by obtaining passwords through monitored administrator activity.
- The abuse of legitimate RMM software, such as SimpleHelp, facilitates privilege escalation, backdoor installation, and ransomware deployment.
- Security advisories recommend auditing remote access tools, enforcing application controls, and blocking unauthorized RMM ports to prevent such attacks.