Threat actors associated with the Vice Society ransomware gang have been observed to fly under the radar with custom PowerShell-based tools to automate the process of exfiltrating data from compromised networks.
“Threat actors (TAs) use built-in data extraction methods such as: [living off the land binaries and scripts] It eliminates the need to bring in external tools that can be flagged by security software or human-based security detection mechanisms,” said Ryan Chapman, a researcher at Palo Alto Networks Unit 42.
“These methods can also hide within the general operating environment, providing subversive threat actors.”
Vice Society, tracked by Microsoft under the name DEV-0832, is an extortion-focused hacking group that emerged in May 2021. It is known to rely on ransomware binaries sold by criminal underworlds to achieve its goals.
In December 2022, SentinelOne discovered that the group was using a ransomware variant called PolyVice, which implements a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files. I explained in detail.
A PowerShell script discovered by Unit 42 (w1.ps1) identifies drives mounted on the system and recursively searches each root directory to facilitate data exfiltration over HTTP.
The tool utilizes exclusion criteria to also exclude system files, backups, folders that point to web browsers, and security solutions from Symantec, ESET and Sophos. The cybersecurity firm said the tool’s overall design exhibits “professional-level coding.”
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!
Save my seat!
The discovery of data exfiltration scripts points to the ongoing threat of double extortion in ransomware environments. It is also a reminder that organizations should prioritize robust security protections and remain vigilant against evolving threats.
“Vice Society’s PowerShell data extraction script is a simple tool for data extraction,” says Chapman. “Use multiprocessing and queuing to prevent scripts from hogging system resources.”
“However, the script focuses on files with file extensions greater than 10 KB and directories that satisfy its include list, which means the script will not exfiltrate data that does not fit this description.”
