Hackers started disabling antivirus to hide the cyberattack
A new cyber group that disables defense solutions when attacking companies has been discovered in Russia. This trend is increasingly common in incident investigations, experts from Solar 4RAYS, the Solar Group's cyber threat research center, told Izvestia. In particular, when attacking an industrial organization, attackers used a method that allows disabling a solution from any vendor.
The investigation revealed that the attackers penetrated the corporate network through a vulnerability in the DameWare Mini Remote Control software, which is used for remote computer control. It turned out that since the pandemic for individual systems in the infrastructure, the DameWare port was still accessible from the external network.
Next, cybercriminals placed a malicious file in the directory of the administration agent of the antivirus solution and disabled the Kaspersky Lab antivirus. Solar 4RAYS experts informed the vendor about the discovered mechanics, as a result of which Kaspersky Lab promptly improved the self-protection mechanisms of its products and released the corresponding updates.
One of the malware's functions was to disable MiniFilter, a Windows file system filtering technology. The security components of many security solutions use MiniFilter to collect information about file system operations, detect unusual behavior, monitor applications, and analyze potential threats.
In such an attack, a malicious driver creates and registers its own MiniFilter, finds the offset callback function of the defense solution's MiniFilter and replaces it with a dummy stub function, thus blocking the antivirus from monitoring it. Attackers can then download any malicious software on the system without fear of detection by basic defenses.
Read more in Izvestia's exclusive article:
Defenseless mechanisms: hackers have found a way to disable antiviruses
Переведено сервисом «Яндекс Переводчик»
