Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks.
“Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms,” Palo Alto Networks Unit 42 researcher Ryan Chapman said.
“These methods can also hide within the general operating environment, providing subversion to the threat actor.”
Vice Society, tracked by Microsoft under the name DEV-0832, is an extortion-focused hacking group that emerged on the scene in May 2021. It’s known to rely on ransomware binaries sold on the criminal underground to meet its goals.
In December 2022, SentinelOne detailed the group’s use of a ransomware variant, dubbed PolyVice, that implements a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files.
The PowerShell script discovered by Unit 42 (w1.ps1) works by identifying mounted drives on the system, and then recursively searching through each of the root directories to facilitate data exfiltration over HTTP.
The tool also makes use of exclusion criteria to filter out system files, backups, and folders pointing to web browsers as well as security solutions from Symantec, ESET, and Sophos. The cybersecurity firm said the overall design of the tool demonstrates a “professional level of coding.”
The discovery of the data exfiltration script illustrates the ongoing threat of double extortion in the ransomware landscape. It also serves as a reminder for organizations to prioritize robust security protections and stay vigilant against evolving threats.
“Vice Society’s PowerShell data exfiltration script is a simple tool for data exfiltration,” Chapman said. “Multi-processing and queuing are used to ensure the script does not consume too many system resources.”
“However, the script’s focus on files over 10 KB with file extensions and in directories that meet its include list means that the script will not exfiltrate data that doesn’t fit this description.”