The Trend Micro Threat Hunting Team has identified a concerning new trend in cyberattacks: criminals are adopting , a red team tool designed to disrupt Endpoint Detection and Response () systems. Initially developed as a tool for security professionals, it has since been exploited by malicious actors to block communications, aiding them in breaching security perimeters.

The tool works by disrupting the transmission of telemetry and alerts from the system to its management console, thereby hindering the identification and removal of malware. The tool leverages the Filtering Platform, dynamically identifying active processes in the system, and then creates filters to block their outbound communications. This approach prevents the solution from reporting potential threats, rendering it effectively blind. Additionally, during testing, it was found that the tool also blocks other processes not initially included in its target list, indicating its broad and flexible effectiveness.

The framework (a component that allows developers to define custom network filtering rules) was used, indicating that the attacker cleverly abused legitimate tools for malicious purposes. By blocking traffic related to the process, the attacker could prevent security tools from sending telemetry data or alerts, allowing the threat to persist undetected. The command-line interface of the tool provided attackers with various options to block traffic. Options included: automatically blocking traffic from detected processes, blocking traffic from specified processes, removing all filters created by the tool, and removing specific filters via.

The typical attack chain here begins with the process discovery phase, where the tool compiles a list of running processes associated with known products. The attacker then deploys to broadly block communication between all detected processes or selectively block communication along specific process paths. After privilege escalation, the tool configures filters to block outbound communication for and traffic. These filters are persistent, remaining active even after system reboots. Once communication is blocked, malicious actors can freely execute malicious payloads with a lower risk of detection. In their own tests, it was observed that can effectively prevent endpoint activity logs from reaching the management console, keeping the attack covert.

The discovery highlights the growing trend of cybercriminals using legitimate red team tools for malicious attacks. Disabling the feature will make entities more vulnerable to widespread damage from ransomware and other forms of malware. To defend against tools like , Trend Micro recommends the following measures: Multi-layered security controls: Implement network segmentation to limit lateral movement and employ a defense-in-depth strategy that combines firewalls, intrusion detection, antivirus, and solutions. Enhanced endpoint security: Use behavioral analysis and application whitelisting to detect anomalous activities and restrict the execution of unauthorized software. Continuous monitoring and threat hunting: Actively search for indicators of compromise () and advanced persistent threats (). Strict access controls: Implement the principle of least privilege to restrict access to sensitive areas of the network.