Employee Monitoring Software Turned into Ransomware Weapon


  • Cybercriminals are utilizing backdoors to deploy Kickidler, which is an authorized software for tracking employees.

  • This instrument is utilized for acquiring login details and deploying an encryption program.

  • VMware’s ESXi servers are under attack

Kickidler, a popular
employee monitoring
The tool is being misused.
ransomware
Multiple security researchers have issued warnings about these attacks.

The software was designed for businesses, allowing them to oversee their employees’ productivity, ensure compliance, and detect insider threats. Some of its key features are real-time screen viewing, keystroke logging, and time tracking, with the former two being particularly interesting to cybercriminals.

Experts from Varonis and Synacktiv, who have observed these attacks firsthand, assert that they begin with malicious advertisements bought through the Google Ads platform. These ads appear when individuals search for RVTools—a free Windows application used to connect to VMware vCenter or ESXi servers. Clicking on such an advertisement redirects users to a compromised version of RVTools, which then installs a backdoor known as SMOKEDHAM.

Cloud backups in the crosshairs

Using the backdoor, malicious agents install Kickidler with a specific focus on enterprise administrators and the numerous login credentials they utilize daily. Their aim is to penetrate all areas of the network and eventually execute the encryptor.

The two teams observed utilizing Kickidler are Qilin and Hunters International, apparently concentrating on cloud backups, yet they appear to be facing some obstacles, according to Varonis.

“Given the increased targeting of backup solutions by attackers in recent years, defenders are decoupling backup system authentication from Windows domains. This measure prevents attackers from accessing backups even if they gain high-level Windows credentials,” Varonis told
BleepingComputer
.

Kickidler tackles this problem by recording keystrokes and webpages from an administrator’s computer. This allows attackers to pinpoint external cloud backups and acquire the required passwords for accessing these backups. This method avoids risky techniques like memory dumps, which have higher chances of being noticed.

The attacks were aimed at VMware ESXi systems, according to the researchers, focusing on encrypting VMDK virtual disk files. Hunters International utilized VMware PowerCLI along with WinSCP automation for enabling SSH, deploying the ransomware, and executing it on the ESXi servers.


You might also like

  • Immutable backup storage offers the greatest defense against ransomware, yet numerous companies lack this safeguard.
  • Check out our guide to the
    best authenticator app
  • We’ve rounded up the
    best password managers

Enjoying this article? To discover more stories like this, follow us on MSN by tapping the +Follow button at the top of the page.

You May Also Like