CP
cyberpings
Malware & RansomwareHIGH

Qilin Ransomware - Disables Major EDR Solutions with DLL

Featured image for Qilin Ransomware - Disables Major EDR Solutions with DLL
CSCyber Security News
Qilin Ransomwaremsimg32.dllEDR solutionsCisco Talosransomware-as-a-service
🎯

Basically, Qilin ransomware uses a sneaky trick to turn off security software.

Quick Summary

Qilin ransomware is using a malicious DLL to disable major EDR solutions. This sophisticated attack targets organizations' defenses, making them vulnerable to ransomware. Enhanced security measures are crucial to combat this threat.

What Happened

The Qilin ransomware group is evolving its tactics by deploying a sophisticated multi-stage infection chain. This attack utilizes a malicious DLL file, specifically msimg32.dll, which can disable over 300 endpoint detection and response (EDR) solutions from major security vendors. As organizations increasingly depend on EDR for enhanced visibility, threat actors are adapting by targeting these systems directly.

How It Works

The attack begins when a legitimate application, like FoxitPDFReader.exe, sideloads the malicious DLL instead of the genuine Windows library. This method helps the malware avoid immediate detection. The rogue DLL forwards API calls to the legitimate library, maintaining normal application behavior while executing its malicious code. The DLL contains an encrypted payload that executes in memory, avoiding detection by traditional security measures.

Who's Being Targeted

Qilin ransomware has claimed over 40 victims per month, making it one of the most active ransomware-as-a-service (RaaS) operations. Organizations that rely on EDR solutions are particularly at risk, as the malware specifically targets these defenses to facilitate ransomware deployment.

Signs of Infection

Indicators of compromise include:

  • Unexpected DLL sideloading activity.
  • Installation of suspicious drivers like rwdrv.sys and hlpdrv.sys.
  • Any attempts to write to physical memory from user-mode processes.

How to Protect Yourself

To defend against this sophisticated threat, organizations should:

  • Monitor for unusual DLL activity and driver installations.
  • Implement multi-layered security solutions that can detect and respond to such advanced tactics.
  • Regularly update and patch security software to ensure they can withstand attacks targeting their defenses.

Conclusion

The Qilin ransomware campaign illustrates a significant shift in tactics. By targeting EDR solutions directly, attackers can operate undetected long enough to deploy their ransomware payloads. Organizations must enhance their security measures and remain vigilant against these evolving threats.

🔒 Pro insight: The Qilin ransomware's approach highlights a dangerous trend where attackers neutralize defense mechanisms before deploying payloads, necessitating robust multi-layered security strategies.

Original article from

CSCyber Security News· Guru Baran
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

CrystalRAT - New Malware-as-a-Service Offers Remote Access

A new malware-as-a-service called CrystalRAT has emerged, offering remote access and prank features. It targets popular applications and browsers, posing significant risks to users. Cybersecurity experts warn of its potential for widespread exploitation.

SC Media·
HIGHMalware & Ransomware

NoVoice Android Malware - Steals WhatsApp Data via Apps

NoVoice malware has infiltrated Google Play, stealing WhatsApp data from millions. Users are at risk of account cloning. Immediate action is necessary to secure devices.

SC Media·
HIGHMalware & Ransomware

WhatsApp Alerts Users About Spyware in Fake iPhone App

WhatsApp warns of a fake iPhone app containing spyware affecting around 200 users. The company is taking action against the creators and urges users to uninstall the malicious app immediately.

SC Media·
HIGHMalware & Ransomware

Ransomware Attackers Exploit Legitimate IT Tools to Bypass Antivirus

Ransomware attackers are using legitimate IT tools to bypass antivirus systems. This trend poses a significant risk to organizations, making detection difficult. Staying informed and proactive is crucial for defense.

SC Media·
HIGHMalware & Ransomware

Phishing Campaign - Delivers Casbaneiro and Horabot Trojans

A new phishing campaign is targeting Spanish-speaking users, delivering the Casbaneiro and Horabot banking trojans. This sophisticated attack poses serious risks, as it exploits various methods to trick victims. Stay alert and protect your sensitive information.

SC Media·
HIGHMalware & Ransomware

WhatsApp Alerts Users After Fake iOS App Installs Spyware

WhatsApp has alerted users about a fake iOS app that installed spyware on their devices. Most affected users are in Italy. This incident highlights the growing threat of social engineering tactics in cyber attacks.

The Hacker News·