Automated Data Theft: Vice Society’s Sophisticated PowerShell Exfiltrator
- Written by Ari Denial Cybersecurity & Tech Writer
Vice Society, a ransomware group, has introduced an advanced PowerShell script to automate the theft of data from compromised networks. The group typically steals valuable corporate and customer data and uses it to extort victims or sell it to other cybercriminals for profit.
The new data exfiltrator is fully automated, utilizing “living off the land” binaries and scripts to avoid detection by security software, ensuring that their activities remain undetected until the final stage of the ransomware attack.
In early 2023, Palo Alto Networks Unit 42 discovered a new data theft tool used by the Vice Society ransomware gang. The tool was discovered during an incident response, where a file named “w1.ps1” was recovered from a victim’s network.
The script utilizes PowerShell to automate the exfiltration of data and consists of multiple functions, including Work(), Show(), CreateJobLocal(), and fill(). These functions work together to identify potential directories for exfiltration, process groups of directories, and finally exfiltrate data via HTTP POST requests to Vice Society’s servers.
According to Unit 42’s report , the script does not require any arguments, leaving the responsibility of identifying files to copy out of the network to the script itself. The report also notes that the script ignores files that are less than 10 KB in size and those that do not have a file extension.
The use of “living off the land” binaries and scripts make it difficult for security software to detect the script’s activities, ensuring that the gang’s activities remain covert until the final stage of the ransomware attack.
The Vice Society’s new PowerShell script for automated data theft has a master exclusion and inclusion list to determine what files to steal. It excludes files from common backup and system folders but targets folders containing over 433 strings in multiple languages, including German and English.
The use of sophisticated tools makes Vice Society a significant threat to organisations worldwide, making it challenging for defenders to stop their attacks.
Beware: Malware Distribution Disguised as Fake Chrome Updates
- Written by Ari Denial Cybersecurity & Tech Writer
A malware distribution campaign was identified by an NTT security analyst. The campaign utilized a deceptive error screen appearing as a Google Chrome update to distribute malware.
Several targets were reported to have confirmed malware downloads as the campaign gained traction. The attack campaign begins by infiltrating websites and inserting malevolent JavaScript code that triggers scripts upon a user’s visit. The scripts initiate the downloading of additional scripts depending on whether the user fits the target criteria.
The delivery of these harmful scripts is facilitated by the Pinata IPFS (InterPlanetary File System) service, which obscures the source server that stores the files. This approach thwarts efforts to blacklist the server and makes it difficult to take down the attack.
When a visitor matching the target criteria accesses the compromised website, the scripts trigger a deceptive error message disguised as a Google Chrome automatic update failure. The fake error screen states that the installation of the required update was unsuccessful, and the visitor is prompted to either install the update package manually or wait for the next automatic update.
The error message reads, “An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update.”
The attack involves the automatic download of a ZIP file named ‘release.zip’ that pretends to be a Google Chrome update. This file, however, contains a Monero miner that utilizes the device’s CPU resources to generate cryptocurrency for the attackers.
Once launched, the malware duplicates itself to C:\Program Files\Google\Chrome as “updater.exe” and deploys a genuine executable to run from memory. The malware leverages the “BYOVD” technique to exploit a WinRing0x64.sys vulnerability to obtain SYSTEM privileges on the device.
The miner remains undetected by Windows Defender by adding scheduled tasks and modifying the Registry. After the completion of the process, the Monero miner connects to xmr.2miners[.]com and begins mining the difficult-to-trace cryptocurrency.
As a prevention, avoid installing security updates from third-party sites and always rely on updates from the software developers or automatic updates within the program.
