Analysis
Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Threat Landscape

Trend Micro discloses that Vice Society ransomware group targets manufacturing companies

January 26, 2023
Trend Micro discloses that Vice Society ransomware group targets manufacturing companies

Researchers from Trend Micro disclosed that they have evidence that the Vice Society ransomware group is targeting the manufacturing sector, in addition to ​​focusing its efforts on the education and healthcare industries. The findings throw light on the fact that the group has the capability and desire to penetrate different industries — most likely accomplished through the purchasing of compromised credentials from underground channels. 

“We have detected the presence of Vice Society in Brazil (primarily affecting the country’s manufacturing industry), Argentina, Switzerland, and Israel,” Trend Micro researchers wrote in a blog post. “Vice Society, which was initially reported to be exploiting the PrintNightmare vulnerability in their routines, have previously deployed ransomware variants such as Hello Kitty/Five Hands and Zeppelin (the group’s email has been in their ransom notes).” 

More recently, Vice Society has been able to develop its custom ransomware builder and adopt more robust encryption methods, Trend Micro assesses. “This, and any further enhancements, could mean that the group is preparing for its own ransomware-as-a-service (RaaS) operation,” it added.

The researchers found that Vice Society, which includes an end-to-end infection diagram that they were able to create using Trend Micro internal telemetry. The detection name for this variant of Vice Society’s ransomware is ‘Ransom.Win64.VICESOCIETY.A,’ which arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It encrypts files with specific file extensions, drops files as a ransom note, and avoids encrypting files with certain file extensions.

The arrival vector likely involves the exploitation of a public-facing website or abuse of compromised remote desktop protocol (RDP) credentials, Trend Micro disclosed. “The weaponized tool used by Vice Society is Cobalt Strike, which allows the group to remotely access and control the infected endpoint. The threat actor also used the Rubeus C# toolset for raw Kerberos interaction and abuse (although this is not a new technique, since it has been previously used by Ryuk, Conti, and BlackCat),” it added.

The researchers identified that to laterally move within the target network, Mimikatz was used to dump passwords. “We also observed the presence of the Zeppelin ransomware from another endpoint. Vice Society was known to have deployed Zeppelin before, however, perhaps due to its weaker encryption, the threat actor decided to go with custom-built ransomware,” they added.

Vice Society will then execute a PowerShell script to create an administrator account that allows for the remote access of other endpoints and to terminate several processes such as running security software before dropping the custom-built ransomware. “In most of the ViceSociety detections, we also observed the presence of Neshta file infector (which can be cleaned by Trend Micro), although it is not clear how this occurred,” the researchers added.

Trend Micro also found the attacker removing traces of RDP sessions such as wevtutil[dot]exe, a technique that was previously used by Clop ransomware and KillDisk. “Once the administrator account is added and established, Vice Society can terminate several processes, including security-related ones, to enable the successful deployment and execution of its ransomware on the affected endpoints,” it added.

Vice Society seems to be constantly improving its capabilities, managing to build its custom-built ransomware while also continuing to employ toolsets such as Cobalt Strike and malware such as Zeppelin and Hello Kitty/FiveHands to enhance their routines, the researchers said. “Given what we know of the group’s technical knowledge and their willingness to target several different industries and regions, we can expect them to remain a significant player in the ransomware landscape and a threat that organizations must keep track of moving forward,” they added.

The Trend Micro details follow last month’s disclosure by SentinelLabs that the Vice Society group adopted a new custom-branded ransomware payload in recent intrusions, dubbed ‘PolyVice,’ which implements an encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms. It is also likely that the group behind the custom-branded ransomware for Vice Society is also selling similar payloads to other groups.

Trend Micro revealed earlier this month that Gootkit Loader (aka Gootloader) resurfaced in a recent spate of attacks on organizations in the Australian healthcare industry. It determined that Gootkit malware leveraged SEO (search engine optimization) poisoning for its initial access and abused legitimate tools like VLC Media Player. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns