In a disturbing trend, cybercriminals are weaponizing legitimate employee monitoring tools to conduct reconnaissance on the victim and harvest sensitive credentials following network breaches. Cybersecurity firm Varonis and Synacktiv have observed affiliates of the Qilin and Hunters International ransomware groups using a legitimate monitoring software Kickidler.
What is Kickidler
Kickidler, an employee monitoring software used by more than 5,000 organizations across 60 countries, offers keystroke logging, screen capture, and video recording features for security reasons.
Kickidler functions like a digital CCTV system for IT teams, allowing organizations to monitor employee activity and prevent insider threats or data misuse. However, when the same tool falls into the hands of cybercriminals, it becomes a powerful spyware, giving them everything they need, from credential theft to system reconnaissance, without the effort typically required to bypass endpoint detection and response (EDR) solutions.
How Kickidler is Exploited
The attack campaigns began with malicious Google Ads targeting IT administrators searching for RVTools, a free Windows utility for managing VMware vSphere environments. This malicious ads, redirects the suers to a counterfeit website (rv-tool[.]net), which delivers a trojanized version of the software.
Upon execution, the fake installer acted as a loader for SMOKEDHAM, a PowerShell-based .NET backdoor used to download and install Kickidler onto compromised systems. Varonis researchers say the attackers likely maintained prolonged access to victim environments possibly for days or weeks allowing them to harvest credentials to access off-site cloud backups without triggering traditional detection mechanisms.
By monitoring admin keystrokes and web activity, the attackers were able to uncover cloud backup portals and extract login credentials discreetly, sidestepping more overt memory-dumping techniques that would risk detection.
After gathering the necessary access, both ransomware groups proceeded to target VMware ESXi infrastructure, encrypting VMDK virtual disk files to cause maximum disruption. Synacktiv reports that Hunters International employed a custom deployment script using VMware PowerCLI and WinSCP Automation to activate SSH, deploy the ransomware, and execute it across ESXi servers.
Recommendations
Security experts urge organizations to take the following precautions:
- Audit all installed remote access tools and restrict usage to approved RMM software.
- Implement application controls to block unauthorized software execution.
- Enforce access via secure remote access solutions like VPN or VDI.
- Block unnecessary inbound and outbound traffic on standard RMM ports and protocols.
Conclusion
This case underscores a broader concern: the abuse of legitimate remote monitoring and management (RMM) tools by threat actors. joint advisory from CISA, the NSA, and MS-ISAC in January 2023 warned of ransomware operators using portable remote desktop tools to compromise systems without requiring elevated privileges.
In another recent example, attackers exploited vulnerable SimpleHelp RMM clients to create admin accounts, plant backdoors, and potentially prepare for Akira ransomware attacks.
As ransomware operators continue to refine their methods, security teams must conduct regular red team exercises and employee training to avoid this type of attacks.
Source:
1. hxxps[://]www[.]varonis[.]com/blog/seo-poisoning#initial-access-and-persistence
2. hxxps[://]www[.]synacktiv[.]com/en/publications/case-study-how-hunters-international-and-friends-target-your-hypervisors
Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news
