Kickidler Employee Monitoring Software Misused in Ransomware Operations

Ransomware groups have increasingly repurposed legitimate Kickidler employee monitoring software for malicious activities, including reconnaissance, tracking victim activities, and credential harvesting following network breaches.

Cybersecurity firms, Varonis and Synacktiv, have reported on these incidents where ransomware affiliates associated with the groups Qilin and Hunters International installed Kickidler—an employee monitoring tool that enables keystroke logging, screen captures, and video recordings of user activity.

Kickidler boasts usage by over 5,000 organizations across 60 countries, offering features for visual monitoring and data loss prevention.

The attacks commence when threat actors utilize Google Ads for targeting individuals searching for RVTools, a legitimate Windows utility for managing VMware vSphere deployments. Interaction with the ad redirects users to a counterfeit RVTools website (rv-tool[.]net), distributing a modified version of the program that acts as a malware loader. This malware subsequently downloads and executes the SMOKEDHAM PowerShell .NET backdoor, allowing for the installation of Kickidler on the compromised devices.

.jpg)

These operations primarily target enterprise administrators, whose accounts provide the threat actors access to privileged credentials post-compromise. Varonis suggests that attackers may maintain unobserved access to victims’ environments for extended periods, ranging from days to weeks, gathering the necessary credentials to infiltrate off-site cloud backups.

The potential for unauthorized access to backup solutions is critical, especially as attackers increasingly focus on these systems. To counteract this, it is suggested that organizations decouple backup system authentication from Windows domains, thereby restricting attackers from accessing backups even if they breach high-level Windows accounts.

Kickidler facilitates these breaches by logging keystrokes and web pages accessed from administrator workstations, allowing cybercriminals to identify off-site cloud backups and acquire relevant passwords without resorting to more detectable memory-dumping techniques.

Following the resumption of nefarious activities on compromised networks, these ransomware operators deployed malware targeting VMware ESXi infrastructures, resulting in the encryption of VMDK virtual hard disk drives and causing significant disruptions. The deployment scripts employed by Hunters International utilized VMware PowerCLI and WinSCP Automation to enable the SSH service, execute ransomware, and infect ESXi servers.

Abuse of Legitimate RMM Software

Although employee monitoring software is not typically associated with ransomware attacks, these incidents highlight a broader trend in which ransomware groups misappropriate legitimate remote monitoring and management (RMM) tools.

CISA, the NSA, and MS-ISAC issued a joint advisory in January 2023, alerting on attacks where ransomware actors manipulate victims into installing portable remote desktop solutions to circumvent security measures and seize control of systems without requiring administrative privileges.

Since mid-October 2022, CISA has observed malicious activity within the networks of several federal civilian executive branch (FCEB) agencies linked to these types of attacks. Recently, attackers have targeted vulnerable SimpleHelp RMM clients, establishing administrator accounts and installing backdoors, potentially leading to Akira ransomware incidents.

To guard against such security vulnerabilities, network defenders should audit installed remote access tools and ensure only authorized RMM software is in use. Implementing application controls to restrict the execution of unauthorized RMM software and ensuring compliance with approved remote access solutions, such as VPN or VDI, is critical.

In addition, security teams should consider blocking inbound and outbound connections on standard RMM ports and protocols when they are not actively in use.