Full Report
Ransomware operations are using legitimate Kickidler employee monitoring software for reconnaissance, tracking their victims' activity, and harvesting credentials after breaching their networks. [...]
Analysis Summary
# Tool/Technique: Kickidler Employee Monitoring Software
## Overview
Kickidler is legitimate employee monitoring software that has been observed being abused by threat actors, likely in conjunction with ransomware operations, to facilitate malicious activities post-initial access or as part of lateral movement/persistence. Its legitimate function as RMM software makes it a tool for bypassing security controls.
## Technical Details
- Type: Tool (Abused Legitimate Software/RMM)
- Platform: Windows (Implied, as it is system monitoring software often deployed on corporate workstations)
- Capabilities: Employee monitoring, remote access, process execution, system observation.
- First Seen: Not specified in context, but its abuse in ransomware attacks is recent (context implies post-mid-October 2022 timeframe for related RMM abuse).
## MITRE ATT&CK Mapping
Since the specific methods of abuse for Kickidler itself are not detailed beyond "abused," the mapping focuses on the general category of abusing legitimate remote access tools.
- **TA0005 - Defense Evasion**
- T1072 - Access Tool: Remote Administration Software
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Windows Service (If used to maintain access)
- **TA0011 - Command and Control**
- T1090 - Proxy (If used to connect back to attacker infrastructure)
## Functionality
### Core Capabilities
In the context of abuse:
* Establishing remote control over employee workstations.
* Bypassing security software by masquerading as legitimate administrative functions.
### Advanced Features
* (Inferred, based on RMM abuse patterns): Maintaining persistent access and executing subsequent stages of the attack (like ransomware deployment).
## Indicators of Compromise
* File Hashes: [N/A in context]
* File Names: [N/A in context, but would likely involve executables related to "Kickidler"]
* Registry Keys: [N/A in context]
* Network Indicators: [N/A in context, but network traffic associated with the legitimate software might be observed if not properly scoped.]
* Behavioral Indicators: Presence of remote access sessions or activity originating from the monitoring software that aligns with attacker TTPs.
## Associated Threat Actors
* Threat Actors involved in Ransomware operations (Context mentions joint warnings about RMM abuse linked to many ransomware operations).
## Detection Methods
* Signature-based detection: [Unlikely effective for *legitimate* software unless specific malicious configurations are used.]
* Behavioral detection: Monitoring process execution and network connections of RMM/Monitoring tools for deviations from baseline administrative activity.
* YARA rules: [N/A]
## Mitigation Strategies
* Audit installed remote access tools and identify authorized RMM software.
* Use application controls to prevent the execution of unauthorized RMM software.
* Enforce the use of only authorized remote desktop tools (e.g., VPN or VDI) instead of third-party monitoring solutions for operational access.
* Block inbound and outbound connections on standard RMM ports and protocols if they are not strictly necessary for business operations.
## Related Tools/Techniques
* SimpleHelp RMM (Explicitly mentioned as targeted).
* Other Legitimate RMM software abused for initial access/persistence (e.g., typically recognized tools like TeamViewer, AnyDesk, or PowerShell remoting used maliciously).
---
# Tool/Technique: VMware PowerCLI and WinSCP Automation
## Overview
These are legitimate tools used by attackers, specifically **Hunters International**, to manage and automate tasks within a compromised VMware ESXi environment to facilitate ransomware deployment. PowerCLI is VMware's PowerShell interface; WinSCP Automation is often used for scripted file transfers.
## Technical Details
- Type: Tool (Abused Legitimate Software/Scripting Framework)
- Platform: VMware ESXi, Windows (for running scripts)
- Capabilities: Automating configuration changes on ESXi, enabling services, transferring files securely (SCP/SFTP).
- First Seen: Not specified, but abuse noted in recent ESXi targeting campaigns.
## MITRE ATT&CK Mapping
* **TA0004 - Privilege Escalation / TA0002 - Execution**
* T1059.001 - Command and Scripting Interpreter: PowerShell (Leveraging PowerCLI)
* **TA0010 - Exfiltration / TA0008 - Lateral Movement**
* T1105 - Ingress Tool Transfer (Using WinSCP/SCP for file transfer)
* **TA0004 - Privilege Escalation / TA0003 - Persistence**
* T1021.004 - Remote Services: Secure Shell (Enabling SSH service on ESXi)
## Functionality
### Core Capabilities
* Enabling the SSH service on VMware ESXi servers.
* Deploying ransomware payloads onto the ESXi infrastructure managed by PowerCLI scripts.
* Using WinSCP Automation for scripted, potentially concealed, file transfer operations to ESXi hosts.
### Advanced Features
* Automated deployment process allows for rapid execution across the virtualized environment.
## Indicators of Compromise
* File Hashes: [N/A in context]
* File Names: [Scripts or automation files using PowerCLI/WinSCP syntax]
* Registry Keys: [N/A]
* Network Indicators: Unhandled SCP/SFTP connections or high volume of remote PowerShell/PowerCLI connections to ESXi management interfaces.
* Behavioral Indicators: Execution of PowerShell scripts containing VMware management cmdlets (e.g., `Connect-VIServer`, commands related to enabling services or modifying configurations on ESXi).
## Associated Threat Actors
* Hunters International (Specifically mentioned using this combination in ESXi attacks).
## Detection Methods
* Signature-based detection: Detection of known malicious PowerCLI scripts or specific WinSCP automation payloads.
* Behavioral detection: Monitoring for automated enabling of the SSH service on ESXi hosts, which is often indicative of attacker activity if not managed through strict change control.
* YARA rules: [N/A]
## Mitigation Strategies
* Disable SSH service on ESXi hosts unless absolutely required for maintenance; if required, ensure it is immediately disabled after use.
* Strictly vet and harden VMware PowerCLI usage; monitor for scripts that automate configuration changes outside of approved maintenance windows.
* Treat automated file transfers (like those mediated by WinSCP) with suspicion, especially if targeting critical infrastructure like ESXi.
* Ensure robust credential management to prevent service accounts used by PowerCLI from being compromised.
## Related Tools/Techniques
* ESXi arguments encryption/VMDK encryption payloads.
* Other remote administration tools used to gain initial ESXi foothold (e.g., exploitation of known ESXi vulnerabilities).