Experts at the Solar 4RAYS cyber threat research center (Solar Group) have recorded a new trend in cyberattacks — malicious actors are finding ways to disable antivirus programs to hide their presence in the systems of Russian companies. During one investigation, specialists discovered a new hacker group using methods that allow them to bypass the defenses of any vendor, including popular cybersecurity solutions.
One such incident occurred in an industrial organization. The malicious file was discovered by experts at the Solar JSOC cyberattack response center. The investigation revealed that the attackers penetrated the corporate network through a vulnerability in DameWare Mini Remote Control software, used for remote administration.
Key stages of the attack:
- Exploiting a vulnerability in software that remained accessible from the external network since the pandemic.
- Placing a malicious file in the administration directory of the antivirus solution.
- Disabling the antivirus (in this case, Kaspersky Lab).
- Disabling the MiniFilter technology, which is used to monitor activity in the Windows file system.
- Replacing the antivirus's callback functions with dummy values, which deprives the protection system of the ability to detect threats.
After deactivating the protection, hackers could download any malicious programs without fear of detection.
After receiving information from Solar 4RAYS, Kaspersky Lab promptly refined the self-defense mechanisms of its products and released updates. The updated versions included enhanced threat detection rules, as well as new algorithms to protect against the loading of suspicious drivers.
Specialists at Solar 4RAYS note that attacks involving the disabling of protective measures are becoming increasingly common. If previously such techniques were used primarily in targeted espionage campaigns, now they are actively used by cybercriminals for destructive attacks on critical infrastructure.
Experts at Solar 4RAYS recommend that enterprises: Regularly check the operability of protective solutions – a disabled antivirus may be a sign of hacking. Monitor telemetry transmission – it is important to track whether systems transmit data about security events. Assess the level of infrastructure compromise – this will help identify attacks before serious consequences occur. Use layered protection – the integration of EDR, XDR, and NDR helps detect complex attacks in real-time.
Attackers are improving their attack methods, finding ways to bypass even the most advanced antivirus solutions. The relevance of proactive cybersecurity measures is coming to the fore – without multi-layered protection and constant monitoring of organizations, the risk of losses and destructive consequences increases significantly.
Now on home
Герой России Гарнаев: никто из профессионалов о возобновлении производства на КАЗ всерьёз не говорит
Система отслеживает спутники на высотах до 50 000 км и ведёт за ними наблюдение
The armored vehicle is equipped with a KamAZ-740.35-400 diesel engine with a power of 400 hp.
Constant improvements in avionics, weapons and tactical capabilities will make the aircraft a flexible response to future challenges
The exterior of the KamAZ-54901 features fairings on the cab and chassis for fuel economy
Fighters are in demand both domestically and abroad
Tyazhpromexport and Venezuela Agree on Plant Revival
The company not only completed the state order, but also quickly mastered the production of AK-12K for special forces
Experts have developed a photogrammetric complex with a resolution of less than 1 cm
