Popular work monitoring software is compromised to carry out ransomware attacks.

Security researchers have raised alarms about the misuse of Kickidler software, a legitimate employee monitoring tool that has been utilized in ransomware attacks. Originally, this application is designed for companies to monitor employee productivity, comply with regulations, and detect internal threats. Some of its most notable features include real-time screen viewing, keystroke logging, and time tracking, characteristics that have caught the attention of cybercriminals.

According to experts from Varonis and Synacktiv, who have observed these attacks in action, the process begins with a manipulated ad purchased on the Google Ads network. This ad is displayed to people searching for RVTools, a free utility based on Windows that connects to VMware vCenter or ESXi servers. Through this ad, users are redirected to a trojanized version of the program that installs a backdoor called SMOKEDHAM.

Once attackers gain access through this backdoor, they deploy Kickidler, focusing on company administrators and the login credentials they use daily. The goal is to infiltrate the entire network to ultimately implement the encryptor.

The two groups that have been identified using Kickidler are Qilin and Hunters International, who appear to be targeting cloud backup solutions, although they have encountered certain obstacles, according to Varonis. The latter warns that due to the increased focus of attackers on backup solutions in recent years, defenses are decoupling authentication for backup systems from Windows domains. This measure prevents access to backups, even if attackers manage to obtain high-level Windows credentials.

Kickidler exacerbates this problem by capturing keystrokes and web pages from an administrator's workstation, allowing attackers to identify cloud backups and obtain the necessary passwords to access them, all without using high-risk tactics that could be detected.

Researchers also noted that the payloads are directed at VMware ESXi infrastructure, encrypting the VMDK virtual hard disks. Hunters International has used VMware PowerCLI and WinSCP automation to enable SSH, introduce the ransomware, and execute it on ESXi servers.