"Vice Society Gang Is Using a Custom PowerShell Tool for Data Exfiltration"

Palo Alto Networks Unit 42 found the Vice Society ransomware group exfiltrating data from a victim network using a custom-built Microsoft PowerShell script. Using this PowerShell tool, the threat actors are circumventing software and/or human-based security detection mechanisms. PowerShell scripting is commonly used in a typical Windows environment. A PowerShell-based tool can enable threat actors to hide in plain sight and execute their code while avoiding detection. Early in 2023, the researchers observed the gang exfiltrating data from a victim network using a script named w1.ps1. They were able to retrieve the script from the Windows Event Log (WEL). The PowerShell data exfiltration script created by Vice Society is a simple data exfiltration tool, with multi-processing and queuing used to prevent the script from consuming an excessive amount of system resources. The script focuses on files over 10 KB with file extensions and on directories on its "include list." According to researchers, the nature of PowerShell scripting in the Windows environment makes it difficult to completely prevent this type of threat. This article continues to discuss the Vice Society ransomware operators using a PowerShell tool to exfiltrate data from compromised networks.

Security Affairs reports "Vice Society Gang Is Using a Custom PowerShell Tool for Data Exfiltration"