Security News > 2023 > April > Vice Society ransomware uses new PowerShell data theft tool in attacks

The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks.

Stealing corporate and customer data is a standard tactic in ransomware attacks for use as further leverage when extorting victims or reselling the data to other cybercriminals for maximum profit.

Vice Society's new data exfiltrator is fully automated and uses "Living off the land" binaries and scripts that are unlikely to trigger alarms from security software, keeping their activities stealthy before the final step of the ransomware attack, the encrypting of data.

The new data theft tool was discovered by Palo Alto Networks Unit 42 during an incident response in early 2023, when the responders recovered a file named "w1.ps1" from a victim's network and, more specifically, referenced in an Event ID 4104: Script Block Logging event.

The script uses PowerShell to automate data exfiltration and consists of multiple functions, including Work(), Show(), CreateJobLocal(), and fill().

Vice Society's new data exfiltration script uses "Living off the land" tools to evade detection from most security software and features multi-processing and process queuing to keep its footprint small and its activity stealthy.

News URL

https://www.bleepingcomputer.com/news/security/vice-society-ransomware-uses-new-powershell-data-theft-tool-in-attacks/