Kasseika Threat Actor has joined the club of Threat Actors that currently use Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus/EDR software before carrying out malicious activities, such as encrypting files. Kasseika abuses the Martini driver, part of the TG Soft’s VirIT Agent System. By using BYOVD attacks, the malware gains privileges it can use to terminate various processes (included as a hardcoded list), many of which correspond to antivirus/EDR/security/analysis and system utilities. Kasseika ransomware utilizes the ChaCha20 and RSA encryption algorithms to encrypt target files, appending a pseudo-random string to the filenames, similar to BlackMatter ransomware. More information at this link.
Massimo Giaimo
Team Leader Cyber Security at Würth Phoenix
Author
Latest posts by Massimo Giaimo
21. 03. 2024
SOCnews
SOC News | Mar 21 – IABs and Bulk Sales
03. 02. 2024
SOCnews
SOC News | Feb 04 – AnyDesk Compromise
24. 12. 2023
SOCnews
SMTP Smuggling – A Quick Summary