Security News > 2023 > April > Vice Society Ransomware Using Stealthy PowerShell Tool for Data Exfiltration

Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks.

"Threat actors using built-in data exfiltration methods like negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms," Palo Alto Networks Unit 42 researcher Ryan Chapman said.

The PowerShell script discovered by Unit 42 works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP. The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos.

The discovery of the data exfiltration script illustrates the ongoing threat of double extortion in the ransomware landscape.

"Vice Society's PowerShell data exfiltration script is a simple tool for data exfiltration," Chapman said.

"However, the script's focus on files over 10 KB with file extensions and in directories that meet its include list means that the script will not exfiltrate data that doesn't fit this description."

News URL

https://thehackernews.com/2023/04/vice-society-ransomware-using-stealthy.html