Threat actors associated with the Vice Society ransomware gang have been observed using bespoke PowerShell-based tools to fly under the radar and automate the process of exfoliating data from compromised networks.
“Threat actors (TA) use built-ins data exfiltration method such as (live from ground binaries and scripts) obviate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms,” Palo Alto Networks Unit 42 researcher Ryan Chapman said.
“This method can also hide within the general operating environment, providing subversion to threat actors.”
Vice Society, tracked by Microsoft under the name DEV-0832, is an extortion-focused hacking group that appeared on the scene in May 2021. It is understood that they rely on ransomware binaries sold in the criminal underground to serve their purpose.
In December 2022, SentinelOne detailed the group’s use of a ransomware variant, dubbed PolyVice, that implements a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files.
The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying the drives attached to the system, then searching recursively through each root directory to facilitate data exfiltration via HTTP.
The tool also uses exclusion criteria to filter system files, backups, and folders that point to web browsers and security solutions from Symantec, ESET, and Sophos. The cybersecurity firm says the tool’s overall design exhibits a “professional level of coding.”
The discovery of data exfiltration scripts illustrates the ongoing threat of multiple blackmail in the ransomware landscape. It also serves as a reminder for organizations to prioritize strong security protections and stay alert to evolving threats.
“Vice Society’s PowerShell data exfiltration script is a simple tool for data exfiltration,” says Chapman. “Multi-processing and queues are used to ensure scripts don’t consume too many system resources.”
“However, the script’s focus on files over 10 KB with a file extension and in a directory that satisfies the included list means it will not extract data that does not fit this description.”