The HRSword is a specialized, legitimate system monitoring tool developed by Chinese cybersecurity firm Huorong Network Technology, designed for diagnosing Windows system issues. However, recent threat intelligence indicates that multiple ransomware operators are abusing HRSword tool to disable security products, before deploying ransomware or performing data exfiltration.

Threat Overview

Observed Abuse

Attackers have been leveraging the HRSword to terminate security product services and processes prior to launching payloads. Various threat actors have been confirmed to use HRsword in their ransomware campaigns, including

• Qilin

Threat research teams at Broadcom have observed multiple pre-ransomware activities involving HRsword where it was used to neutralize defences, thereby enabling:

• Ransomware deployment
• Data exfiltration
• Secondary malware deployment

Current Status

• HRSword dropper and driver both currently have a good reputation, which allows it to execute due to reputation-based trust.
• Despite its benign reputation, HRSword is actively used by attackers to disable security product layers.

Blocking Implementation

1. 1. HRSword will be blocked statically using the VID/sig/signature: Hacktool.HRSword.
   2. Reputation-based changes and SDS blocking will extend protection to CB (Carbon Black).
      

If the tool is to be used, provide instructions to exclude the HRSword detections using:

• Hash-based exclusion, or
• VID (Hacktool.HRSword) exclusion