Makop Ransomware Exploits RDP Systems with AV-Killer Tactics
Makop Ransomware Exploits RDP Systems with AV-Killer Tactics
Makop ransomware, a variant of the Phobos malware family first identified in 2020, has continued to evolve as a major cybersecurity threat to organizations worldwide. Recent analyses have revealed that its operators are employing increasingly sophisticated techniques to compromise systems and evade detection.
A Tactical Approach to Breaching Networks
Makop ransomware operators utilize a systematic attack strategy, beginning with brute-force attacks on Remote Desktop Protocol (RDP) systems. Tools like NLBrute are deployed to exploit weak or reused passwords on exposed RDP endpoints, allowing attackers to gain initial access to a network. From this foothold, they employ a variety of tools to deepen their reach, including privilege escalation exploits, antivirus-removal utilities, and credential-dumping programs.
Once inside, attackers prioritize lateral movement and reconnaissance to identify high-value targets within the network. Tools such as NetScan, Advanced IP Scanner, and Masscan are used to map network infrastructure. Files and executables are strategically placed in locations such as RDP shares, music directories, and desktop folders to blend in with standard user activity, making detection by security solutions less likely.
sbb-itb-0f47b19
Anti-Virus Evasion with BYOVD Techniques
Makop operators have integrated advanced tactics, including the use of Bring Your Own Vulnerable Driver (BYOVD) techniques. This approach leverages legitimate but vulnerable drivers, such as hlpdrv.sys and ThrottleStop.sys, to gain kernel-level access and disable endpoint detection and response (EDR) systems.
One particularly notable vulnerability exploited by Makop is CVE-2025-7771 in ThrottleStop.sys, a legitimate driver developed for CPU monitoring. This vulnerability enables attackers to manipulate memory access and bypass security measures. By using drivers signed by legitimate vendors, Makop operators can execute malicious code at the kernel level without raising red flags in security monitoring solutions.
"This technique reflects a sophisticated understanding of Windows security architecture", security analysts have noted, underscoring the challenge defenders face when legitimate tools are weaponized.
Targeting Security Solutions and Regional Adaptations
Makop’s effectiveness is bolstered by its ability to adapt to regional security practices. For instance, the ransomware group has employed specialized uninstallers targeting Quick Heal Antivirus, which is widely used in India. This highlights their tailored approach to disabling specific defenses in areas where the malware is most active.
India has been the primary target of Makop ransomware, accounting for 55% of reported incidents. However, other regions, including Brazil and Germany, have also experienced attacks. This geographic targeting aligns with the group’s broader strategy of focusing on accessible, high-impact opportunities.
Exploiting Known Vulnerabilities
Makop’s attack arsenal includes a collection of local privilege escalation (LPE) exploits aimed at transitioning from user-level access to system-level privileges. These exploits take advantage of both older vulnerabilities and recently patched ones, ensuring that attackers maintain multiple pathways to compromise systems.
Several key vulnerabilities exploited by Makop include:
- CVE-2017-0213: Windows device driver vulnerability
- CVE-2021-41379: Windows Desktop Window Manager elevation flaw
- CVE-2025-7771: Vulnerability in the ThrottleStop driver
These vulnerabilities, which span years, remain effective due to unpatched systems and delayed security updates. This underscores the critical importance of timely patch management and system updates for organizations.
Increasing Sophistication in Delivery Mechanisms
Recent reports highlight that Makop operators have added new capabilities to their arsenal, including the use of GuLoader malware to deliver secondary payloads. This evolution demonstrates how the group continues to refine its methods, integrating deceptive file naming and execution from non-standard directories to evade detection.
File names resembling legitimate Windows processes, such as taskmgr.exe and mc_osn.exe, are used to trick security tools and users. These tactics allow attackers to maneuver within networks while minimizing the risk of detection.
Conclusion
Makop ransomware continues to exemplify the evolving complexity of modern cyber threats. By leveraging a combination of brute-force RDP attacks, privilege escalation techniques, and sophisticated antivirus evasion strategies, the operators behind this malware have established themselves as a persistent and adaptive danger to organizations worldwide. With their use of legitimate tools and vulnerable drivers, Makop's tactics highlight the growing challenges security teams face in defending against increasingly innovative ransomware campaigns.