The Vice Society ransomware gang has implemented a sophisticated PowerShell script to automate data theft from compromised networks, as discovered by the Unit 42 team during a recent incident response investigation. The team identified that the gang had exfiltrated data from a victim network through a custom-built Microsoft PowerShell script.
Diving into details
This new data exfiltration tool employs living-off-the-land binaries and scripts. These techniques are carefully designed to avoid triggering alarms from security software, allowing the ransomware gang to operate covertly until the final stage of data encryption.
The data exfiltration script utilized by Vice Society is powered by PowerShell, automating the process with multiple functions that work in harmony.
These functions, namely Work(), Show(), CreateJobLocal(), and fill(), collectively identify potential directories for exfiltration, process groups of directories, and ultimately exfiltrate data through HTTP POST requests to servers owned by Vice Society.
Why this matters
With the adoption of increasingly sophisticated tools, Vice Society has become a formidable threat to organizations globally, reducing the opportunities for defenders to detect and thwart their attacks.
The data exfiltration script employs living-off-the-land tools to avoid detection by security software, utilizing multi-processing and process queuing to minimize its footprint and maintain stealthiness.
This approach poses challenges for detection and hunting, although the security researchers have provided guidance in their report.
The bottom line
Vice Society's PowerShell data exfiltration script is a simple yet effective tool for data exfiltration. The nature of PowerShell scripting within the Windows environment makes it challenging to prevent this type of threat outright. Nonetheless, the report provides valuable tips and tricks for detection and hunting, including a YARA rule.