Vice Society Gang is Using a Custom PowerShell Tool for Data Exfiltration

Summary:
“Palo Alto Unit 42 team identified observed the Vice Society ransomware gang exfiltrating data from a victim network using a custom-built Microsoft PowerShell (PS) script. Threat actors are using the PowerShell tool to evade software and/or human-based security detection mechanisms. PS scripting is often used within a typical Windows environment, using a PowerShell-based tool can allow threat actors to hide in plain sight and get their code executed without raising suspicion” (Security Affairs, 2023).

Earlier this year, Unit 42 observed the ransomware group using a script names w1[.]ps1 to exfiltrate data from victims. The script can identify mounted devices on a targeted system, and via Windows Management Instrumentation (WMI), can iterate through identified drives to extract data using HTTP POST events using the objects .UploadFile method. “Each HTTP POST event will include the file’s full path. If you are able to obtain the source host’s IP address along with this path, you will then be able to build out a list of exfiltrated files after the fact.” reads the analysis published by Palo Alto Networks.

Analyst comments:
Unit 42 says, “The script uses the CreateJobLocal( $folders ) function to create PowerShell script blocks to be run as jobs via the Start-Job cmdlet. The CreateJobLocal function receives groups of directories, often in groups of five.” The tool uses and inclusion and exclusion process based on keywords to determine which directories to exfiltrate data from. The tool will not target folders containing system files, backups, folders associated with web browsers, and folders used by security solutions from Symantec, ESET, and Sophos. After scanning directories, the malware exfiltrates files that do not have extensions found on the exclude list and that are larger than 10 KB. The script ignores files that are under 10 KB in size and that do not have a file extension.

“Vice Society’s PowerShell data exfiltration script is a simple tool for data exfiltration. Multi-processing and queuing are used to ensure the script does not consume too many system resources. However, the script’s focus on files over 10 KB with file extensions and in directories that meet its include list means that the script will not exfiltrate data that doesn’t fit this description.” concludes the report. “Unfortunately, the nature of PS scripting within the Windows environment makes this type of threat difficult to prevent outright.”

Mitigation:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.

Source:
https://securityaffairs.com/144898/breaking-news/vice-society-powershell-tool-exfiltration.html https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/