Kasseika Threat Actor has joined the club of Threat Actors that currently use Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus/EDR software before doing malicious activities, such as files encryptions. Kasseika abuse the Martini driver, part of TG Soft’s VirIT Agent System. By using BYOVD attacks, the malware gains the privileges to terminate various processes, part of a hardcoded list, many of which correspond to antivirus/EDR/security/analysis and system utilities. Kasseika ransomware utilizes the ChaCha20 and RSA encryption algorithms to encrypt target files, appending a pseudo-random string to the filenames, similar to BlackMatter ransomware. More information at this link.
Leave a Reply