Palo Alto Unit 42 team identified observed the Vice Society ransomware gang exfiltrating data from a victim network using a custom-built Microsoft PowerShell (PS) script.
Threat actors are using the PowerShell tool to evade software and/or human-based security detection mechanisms. PS scripting is often used within a typical Windows environment, using a PowerShell-based tool can allow threat actors to hide in plain sight and get their code executed without raising suspicion.
Early in 2023, the researchers spotted the gang using a script named w1.ps1 to exfiltrate data from a victim network. Unit42 researchers were able to recover the script from the Windows Event Log (WEL).
The script identifies any mounted drives on the target system by using Windows Management Instrumentation (WMI), then iterates through the identified drives to prepare data exfiltration via HTTP POST events using the object’s .UploadFile method.
“each HTTP POST event will include the file’s full path. If you are able to obtain the source host’s IP address along with this path, you will then be able to build out a list of exfiltrated files after the fact.” reads the analysis published by Palo Alto Networks.
The script uses the CreateJobLocal( $folders ) function to create PowerShell script blocks to be run as jobs via the Start-Job cmdlet. The CreateJobLocal function receives groups of directories, often in groups of five.
The tool uses an inclusion/exclusion process based on keywords to select which directories to pass to the fill() function to exfiltrate.
The tool doesn’t target folders containing system files, backups, folders associated with web browsers, and folders used by security solutions from Symantec, ESET, and Sophos.
The script finds all files within each directory that matches the include list, it exfiltrates files that do not have extensions found on the exclude list and that are larger than 10 KB.
The script ignores files that are under 10 KB in size and that do not have a file extension.
“Vice Society’s PowerShell data exfiltration script is a simple tool for data exfiltration. Multi-processing and queuing are used to ensure the script does not consume too many system resources. However, the script’s focus on files over 10 KB with file extensions and in directories that meet its include list means that the script will not exfiltrate data that doesn’t fit this description.” concludes the report. “Unfortunately, the nature of PS scripting within the Windows environment makes this type of threat difficult to prevent outright.”
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Vice Society)