Threat Research

New RansomHub Attack Employs TDSKiller and LaZagne, Bypasses EDR – ThreatDown by Malwarebytes

Securonix

RansomHub has adopted TDSSKiller and LaZagne to blunt EDR defenses and harvest credentials, marking the first known use of these tools by the group during reconnaissance and privilege enumeration. ThreatDown notes the new tactic and recommends defense steps such as restricting vulnerable drivers and isolating critical systems. #RansomHub #TDSSKiller #LaZagne #MBAMService #ThreatDown #EDR

Keypoints

  • RansomHub uses TDSSKiller to disable EDR systems, including MBAMService.
  • LaZagne is deployed to harvest credentials from the compromised host, aiding lateral movement.
  • Both tools are now linked to RansomHub for the first time; they were not previously associated with the group.
  • TDSSKiller can target and disable security services via specific command-line flags like -dcsvc.
  • Admin-group enumeration via commands such as net1 group “Enterprise Admins” occurs during recon.
  • ThreatDown has implemented detection rules for TDSSKiller and LaZagne and provides mitigations for BYOVD and network segmentation.

MITRE Techniques

  • [T1003] Credential Dumping – LaZagne is used to extract stored credentials from various applications. ‘LaZagne.exe database’
  • [T1211] Disable or Modify Tools – TDSSKiller is used to disable security services like Malwarebytes Anti-Malware Service. ‘tdsskiller.exe -dcsvc MBAMService’
  • [T1069] Permission Groups Discovery – Initial reconnaissance and privilege enumeration through admin group checks. ‘net1 group “Enterprise Admins” /do’
  • [T1021] Remote Services – Credential harvesting via LaZagne facilitates lateral movement within networks. ‘to facilitate lateral movement within networks’

Indicators of Compromise

  • [File Name] context – TDSSKiller.exe, LaZagne.exe
  • [SHA-256] 2d823c8b6076e932d696e8cb8a2c5c5df6d392526cba8e39b64c43635f683009 – TDSSKiller.exe
  • [SHA-256] 467e49f1f795c1b08245ae621c59cdf06df630fc1631dc0059da9a032858a486 – LaZagne.exe
  • [MD5] ff1eff0e0f1f2eabe1199ae71194e560 – TDSSKiller.exe
  • [MD5] 5075f994390f9738e8e69f4de09debe6 – LaZagne.exe

Read more: https://www.threatdown.com/blog/new-ransomhub-attack-uses-tdskiller-and-lazagne-disables-edr/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint