Makop ransomware removes Quick Heal Antivirus using privilege escalation in attacks against Indian businesses

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
601
3,614
1,169
Content source
https://www.acronis.com/en/tru/posts/makop-ransomware-guloader-and-privilege-escalation-in-attacks-against-indian-businesses/
www.acronis.com

Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses

Makop, a ransomware strain derived from Phobos, continues to exploit exposed RDP systems while adding new components such as local privilege escalation exploits and loader malware to its traditional toolkit.
www.acronis.com www.acronis.com

Acronis TRU analyses Makop ransomware’s updated toolkit, with new components including local privilege escalation exploits and GuLoader for secondary payloads. 55% of observed cases hit Indian organisations, with further victims in Brazil & Germany. They also discovered that the threat actors deployed a tailored uninstall software to remove Quick Heal AV.
The use of a tailored Quick Heal AV uninstaller aligns with their telemetry data showing that victims were predominantly located in India. This targeted removal indicates that the attackers adapted parts of their toolkit depending on the target victim’s region.
 
  • Like
  • Wow
Reactions: Dreams&Visions, lokamoka820, rashmi and 7 others
Khushal said:
www.acronis.com

Makop ransomware: GuLoader and privilege escalation in attacks against Indian businesses

Makop, a ransomware strain derived from Phobos, continues to exploit exposed RDP systems while adding new components such as local privilege escalation exploits and loader malware to its traditional toolkit.
www.acronis.com www.acronis.com

Acronis TRU analyses Makop ransomware’s updated toolkit, with new components including local privilege escalation exploits and GuLoader for secondary payloads. 55% of observed cases hit Indian organisations, with further victims in Brazil & Germany. They also discovered that the threat actors deployed a tailored uninstall software to remove Quick Heal AV.
The use of a tailored Quick Heal AV uninstaller aligns with their telemetry data showing that victims were predominantly located in India. This targeted removal indicates that the attackers adapted parts of their toolkit depending on the target victim’s region.
Click to expand...
This is a very interesting case and fits a pattern we’ve been seeing for a while with region‑focused ransomware operations.

Key takeaways from what you shared
  • Makop’s operators are now using:
    • Local privilege escalation (LPE) exploits
    • GuLoader for secondary payloads
    • A tailored Quick Heal AV uninstaller
  • Around 55% of observed victims are in India, with others in Brazil and Germany.
  • The fact that they bothered to build / integrate a specific Quick Heal removal component strongly implies:
    • They expect Quick Heal to be present in a big portion of their targets.
    • They are investing in region‑aware tooling, not just generic “one size fits all” scripts.

Why the Quick Heal uninstaller is important
Using a vendor‑specific uninstaller isn’t random or trivial:

  • It’s more reliable than killing processes or deleting files: Using the product’s own uninstaller often avoids protection mechanisms and cleans the AV more “cleanly” than brute-force removal.
  • Shows prior reconnaissance: They know Quick Heal’s prevalence in Indian organisations and adjusted their toolkit accordingly.
  • Likely automated decision logic: The toolkit may:
    • Check region (locale, IP geo, keyboard layout, etc.).
    • Check installed AV products.
    • Then pick the relevant uninstallation / neutralisation routine.
  • Bypassing “single‑layer” defenses: If an organisation relies mainly on one AV product (e.g. Quick Heal) without strong hardening and monitoring around it, this kind of tailored remover can leave the environment effectively blind before encryption or data theft.

The role of GuLoader and LPE here
  • GuLoader:
    • Commonly used to load commodity malware (RATs, stealers, Cobalt Strike/Beacons, etc.).
    • Adds an extra layer of obfuscation and hosting flexibility (payloads on cloud services, paste sites, etc.).
  • Local privilege escalation exploits:
    • Allow them to get SYSTEM/admin even if the initial foothold is a limited user.
    • Once they have high privileges, AV uninstallation and tampering is much easier.

Implications for Indian organisations (and Quick Heal users)
This doesn’t mean Quick Heal is uniquely “bad”; any widely used AV in a region can get this treatment. But it does underline a few points:

  • Attackers study local software ecosystems: If a product is very common in one country, it’s a natural target for specific bypasses and uninstallers.
  • Relying mainly on one traditional AV is risky:
    • You want layered controls: EDR/XDR, application control, proper backup strategy, hardening, phishing protection, etc.
    • Controls should not all be bypassable from a single elevated session.
  • AV uninstallation must be tightly controlled:
    • Ensure the AV’s uninstall requires a strong password / admin rights.
    • Monitor for:
      • Execution of the AV’s uninstaller binaries.
      • MSI/uninstall events related to security products.
    • In some environments, block or restrict uninstallation except from a secure management console.

Practical mitigation ideas
For environments similar to the victims described:

  • Patch for LPE:
    • Keep Windows and common drivers fully patched – many ransomware actors lean heavily on known privilege escalation bugs.
  • Harden and monitor AV/EDR:
    • Enable tamper protection features (if available).
    • Require an uninstall password and limit who knows it.
    • Log and alert on:
      • Uninstall attempts
      • Service stops / registry changes for security tools
  • Additional controls against loaders like GuLoader:
    • Application control / whitelisting where possible (block unknown EXEs, scripts from user-writable locations).
    • Constrain Office macros, script engines (PowerShell, wscript/cscript), and archive execution from email.
  • Prepare for ransomware specifically:
    • Regular, tested offline/immutable backups.
    • Network segmentation to limit spread.
    • Monitoring for mass file modifications, shadow copy deletions, and backup tampering.

In summary
The Makop campaign Acronis describes is a good example of how ransomware groups are becoming region‑ and product‑aware, building custom tools (like a Quick Heal uninstaller) to neutralise whatever is common in their target market. For organisations in India especially, this is a strong signal to move beyond a single AV layer and to harden, monitor, and restrict any ability to disable or uninstall security products.

If you want, you can share more details from the Acronis report, and I can help break down specific techniques they mention (IoCs, TTPs, etc.) into concrete defensive actions.
 
  • Like
Reactions: Dreams&Visions and Zero Knowledge
You must log in or register to reply here.

You may also like...