- Cybercriminals exploit backdoors to deploy Kickidler, a legitimate employee monitoring software
- This tool is hijacked to steal login credentials and install encrypting malware
- VMware’s ESXi servers are under specific attack
In a shocking twist, the widely-used employee monitoring tool, Kickidler, is being weaponized in ransomware campaigns, as highlighted by cybersecurity experts. Originally designed to help businesses optimize workforce performance, ensuring compliance and detecting insider threats, the software’s features like real-time screen viewing and keystroke logging have garnered the attention of malicious actors.
Researchers from Varonis and Synacktiv have documented these disturbing incidents in action. Their analysis reveals a common entry point: poisoned advertisements on the Google Ads platform. Users searching for RVTools, a legitimate utility for connecting to VMware vCenter or ESXi hosts, fall victim to a trojanized version of the application plastered across these ads, leading them straight into danger.
Cloud Backups Become Prime Targets
Once the backdoor is installed, malicious entities can deploy Kickidler to fish for the login credentials of enterprise administrators, providing a foothold into the organization’s network. Their ultimate aim? To weave their way into every corner of the system and trigger the ransomware payload.
Two notorious groups utilizing this method are Qilin and Hunters International, with a particular focus on cloud backup systems. Varonis notes that these attackers appear to be hitting obstacles due to increased security measures. “With larger numbers of cyberattacks directed at backup solutions lately, organizations are decoupling backup system authentication from Windows domains,” Varonis explained in a recent interview with BleepingComputer.
This strategic move makes it significantly harder for attackers to access backup data even if they manage to swipe high-level Windows credentials. Kickidler captures keystrokes and webpages from administrators, enabling hackers to pinpoint off-site cloud backups and acquire passwords without resorting to risky methods that might attract detection.
These attacks are particularly sophisticated, aiming at VMware ESXi infrastructures. The hackers’ modus operandi involves encrypting VMDK virtual hard drives, using tools such as VMware PowerCLI and WinSCP Automation to enable SSH access, deploy the ransomware, and execute it on vulnerable ESXi servers.
What’s Next?
As these trends unfold, it is critical for organizations to adapt swiftly to evolving tactics employed by cybercriminals. The rise in ransomware attacks focused on employee monitoring software signals a broader issue—security must evolve with technology. This situation also sparks debate about the implications of employee surveillance tools in a digital age rife with cybersecurity challenges. Will companies reconsider their reliance on such software, or will they find new ways to fortify their defenses? Only time will tell.
