Impair Defenses: Disabled Tools
ID |
impair_defenses_disabled_tools |
Severity |
critical |
Resource |
System |
Tags |
trojan |
Description
This detector looks for code that tries to disable security tools (like Windows defender) to avoid possible detection of their malware/tools and activities.
Rationale
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Related Malware campaigns
This is a common feature that could be broadly found among malicious code. However, we can enumerate some popular variants using this technique:
-
Egregor, a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. -
Pysa, a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations. -
QakBot, a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor. -
TrickBot, a Trojan spyware program that first emerged in September 2016 as a possible successor toDyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns. -
WarzoneRAT, a malware-as-a-service remote access tool (RAT) that has been publicly available for purchase since at least late 2018.