- Crypto24 Ransomware Group was seen Disabling AV protection before the inserted encryption
- In some cases it can even uninstall the AV programs
- A layered defense is the best approach to lessen the threat
Security researchers have found another antivirus killing tool out there that hackers use before dropping further payloads.
Experts from Trend Micro have revealed the custom variant of the open source tool called Realblinding.
This tool comes with a hard -coded list of antivirus company -names:
Trend Micro
Kaspersky
Sophos
Sentinelone
Malwarebytes
Cynet
McAfee
BitDefender
Broadcom (Symantec)
Cisco
Fortinet
Acronis
Once implemented on a device, it looks after these names in driver metadata and if it finds one, the core level hooks/recalls, in essentially dazzling detection engines. Trend Micro’s researchers found that the hackers are also able to silently uninstall antivirus programs, open the doors and enable easy implementation of stage to malware.
Crypto24
The tool was seen in nature, used by a hacking collective called Crypto24, a beginning ransomware group that was first discovered in September 2024.
However, the researchers believe that the group consists of former members of other, abandoned hacking collective, as its members are very skilled and experienced.
When it gets initial access, establishes persistence and removes antivirus – road barriers, the group usually implements two pieces of malware – a keylogger and an encryption. All the stolen secrets are ex -filtered into a Google drive using a custom tool.
The identity or location of the Crypto24 is currently unknown. However, researchers say the group successfully hit a number of major organizations in the United States, Europe and Asia. Most of their goals are in financing, manufacturing, tech and entertainment.
There are many ways to protect against attacks that want to disable antivirus protection, including choosing a layered defense strategy.
Companies can use a reputable antivirus with manipulation protection, enable real-time protection and firewalls and use a separate anti-malware tool that can work with an AV.
Via Bleeping computer
