Security News > 2023 > April > Rorschach ransomware deployed by misusing a security tool

An unbranded ransomware strain that recently hit a US-based company is being deployed by attackers who are misusing a tool included in a commercial security product, Check Point researchers have found.

The solution in question is Palo Alto Networks' Cortex XDR, whose Dump Service Tool the attackers appropriated and are now misusing to side-load the DLL that decrypts and injects the Rorschach ransomware.

"The cybercriminals are using the Cortex XDR's Dump Service Tool as a standalone tool they deliver themselves," Sergey Shykevich, Threat Intelligence Group Manager at Check Point, told Help Net Security.

"The main Rorschach payload config.ini is subsequently loaded into memory as well, decrypted and injected into notepad.exe, where the ransomware logic begins," the researchers explained.

"Rorschach does not exhibit any clear-cut overlaps with any of the known ransomware groups but does appear to draw inspiration from some of them," the researchers noted.

"Rorschach ransomware uses a copy of Cortex XDR Dump Service Tool and this DLL side-loading technique to evade detection on systems that do not have sufficient endpoint protection. This poses the same risk as other malware utilizing DLL side-loading techniques," they added.

News URL

https://www.helpnetsecurity.com/2023/04/06/rorschach-ransomware-misusing-security-tool/