A threat group known as Vice Society has been linked to multiple malware attacks aimed at education, government, and retail sectors, according to a newly released report from Microsoft. The group, also known as DEV-0832, uses multiple types of ransomware strains to achieve its end goal of encrypting and exfiltrating an organization’s data.
Vice Society has been seen shifting between using strains of BlackCat, Quantum Locker, and Zeppelin ransomware payloads to encrypt an infected organization’s data. Their latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and .locked. The threat actor is known to use exploits for publicly disclosed vulnerabilities on Internet-facing applications to gain initial access into an environment. Once there, they use PowerShell scripts, legitimate Windows tools, and commodity backdoors such as SystemBC prior to launching the ransomware payload. The group has also been seen using Cobalt Strike for lateral movement, as well as exploiting internal Windows vulnerabilities such as PrintNightmare and CVE-2022-24521 to escalate privileges on a system. Vice Society has been seen modifying Windows Defender Registry keys in order to stop it from quarantining payloads or alerting the organization to its presence. Data exfiltration is achieved by launching a PowerShell script that collects and sends sensitive data and documents to a hard-coded attacker-owned IP address. Once these steps are complete, the ransomware payload of the group’s choice is executed on systems in the environment.
In some cases, Vice Society was seen avoiding deploying ransomware and instead opting for simple extortion using the exfiltrated data.