+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Vice Society Use Automated Data Exfiltration

The threat actor known as Vice Society, a ransomware gang known for their attacks against the education sector in the USA, has recently been found to use a custom Microsoft PowerShell (PS) script for exfiltrating data from their victims. This threat actor previously used PS scripts staged on a domain controller to perform a range of malicious activities, such as system discovery, system changes, defence evasion, persistence, data exfiltration, and delivering ransomware payloads. Researchers from Palo Alto Network’s Unit 42 Incident Response team have discovered that the Vice Society actors are now using an automated PS script w1.ps1 in their data exfiltration attacks, where the script itself chooses what data to exfiltrate rather than using any arguments. 

 

The PS script used in these attacks executes the command powershell.exe -ExecutionPolicy Bypass -file \\[redacted_ip]\s$\w1.ps1 on a domain controller on the victim’s network, where the s$ admin share on that domain controller is specified in the attack. The Uniform Resource Name (URN) path of this address has been changed to [redacted_ip]. As the attackers are targeting the domain controller on a network, this could mean their actual target machine is one they have been unable to gain access to. Targeting the domain controller gives them the ability to execute this script on any endpoint on the network. The bypass parameter -ExecutionPolicy is included in the PS script so that any execution policy restrictions on the network do not prevent the execution of this file.  

 

In the attack event investigated by Unit 42 researchers, the script began by declaring constants $id and $token, which were found to be hard coded to TEST and TEST_1 respectively. In other attacks these variables might be used for victim identification, however it could also be the case that these are always resolved as a test. The script then declares the functions that begin the main body of the attack, to identify directories with potential for exploitation, processing these directories into groups, and then exfiltration of this data via HTTP POST requests. Before these functions are called, the script first identifies a list of mounted drives using the WMI service (Windows Management Instrumentation). This is performed through a call to get-wmiobject win32_volume which then creates an array named $drives containing the list of drives. Each drive path is individually found and passed to the Work() function to process the directories.  

 

The script then calls the main functions, starting with Work($disk) which is used to identify potential directories for exfiltration. A hard coded list of directories that should be ignored is included in the script. The Show($name) function is then called to pass the names of identified directories not on the ignore list and chunks them into groups of five before passing them to the next function to be processed further. CreateJobLocal($folders) receives these groups of five directories and creates the PS script blocks needed to run the jobs through Start-Job cmdlet. The directory names are then passed through an inclusion/exclusion process that chooses which directories to pass on to the fill() function for exfiltration based on keywords included in the directory name. Directories that match the include list are found first, followed by a check of the directories that do not match the include list. This is performed through the -Include parameter of the Get-ChildItem cmdlet which is the way in which this PS script can choose for itself which directories to exfiltrate rather than just searching based on hard coded lists of names.  

 

The fill([string]$filename) function is then called to perform the actual data exfiltration via HTTP POST requests to a web server controlled by the threat actor Vice Society. A $prefix value is built which includes the server IP address for where the files will be uploaded, and a network port number, which can be a custom port number, 80, or 443. These are two of the most important indicators of compromise (IoCs) from this attack, the rest of which are not fully known due to the original file hash not being available, with Unit 42 researchers instead publishing the filename (w1.ps1) and contents from the recovered script. The variables $id and $token which were first declared at the start of the PS script are not a necessary part of this fill() function, however they are utilised in the upload URL of each file.  

 

The HTTP-based data exfiltration is then begun through the creation of a WebClient object and the building of a $fullPath variable. This variable is the full file patch that is being exfiltrated, so if the HTTP POST requests are obtained after an exfiltration event, it will be possible to create a list of all exfiltrated files, as long as the source host’s IP is also known. The URL for file upload is then built through $uri by a combination of the $prefix, $token, $id and $fullPath variables. The WebClient.UploadFile() method is then called to finalise the data exfiltration through the creation of an HTTP POST event. When the script is performing this HTTP activity, the researchers noted that the fullpath POST parameter did not have the drive letter from which the file was sent included. It also did not provide a user agent string to the web server.  

 

The use of a PowerShell script in Vice Society ransomware attacks is a living off the land method for evading detection while performing data exfiltration. This means that some security software will not detect and notify the user of the presence of this malicious script as PS scripts are so often seen in Windows environments. If you suspect that a ransomware attack using this script has taken place on your network, Unit 42 researchers have developed a YARA rule to help identify this script if it is present on any given system. Although the education sector has been a main target for this threat actor in the past, it is possible that businesses from any sector could be targeted. The hard coded inclusion and exclusion lists are not the only way in which data is selected for exfiltration in these attacks, with the script itself having the ability to choose extra files that are not on the inclusion list based on keywords. The script excludes files over 10 KB in size, and specifically targets folders with over 433 strings in a small range of chosen languages, with a main focus on German and English, so although not all files are able to be selected by this script for exfiltration, businesses who operate within countries that speak English, Czech, German, Lithuanian, Luxembourgish, Portuguese, and Polish are most likely to be victimised by this attack.  

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.