After achieving reconnaissance and privilege escalation, RansomHub proceeded with the exploitation of TDSSKiller with a command line script or batch file that enabled kernel-level service interaction disabling the Malwarebytes Anti-Malware Service without being flagged, according to an analysis from Malwarebytes’ ThreatDown Managed Detection and Response team. Such compromise was followed by the deployment of LaZagne to extract database-stored credentials and produce dozens of file writes, with a file deletion also conducted to conceal malicious activity, said researchers.

Source: SC Magazine