006. They Will Steal All Passwords from Any App with This Tool

Hello everyone! As you know, almost any attack includes credential access stage. I think, many of you are well aware of tools like Mimikatz or LaZagne. But threat actors may be much more creative in their attempts to obtain credential material.

For example, recently we saw threat actors, involved in ransomware attacks in CIS, actively used XenArmor All-In-One Password Recovery Pro. It's a legitimate tool for password recovery, which allows to recover data from 270+ various applications. Not bad, right?

Of course, it's used beyond CIS as well. For example, it was used by a ransomware gang behind AvosLocker. Also, it's widely used as a malware module, for example, XWorm.

Currently, it's detected quite well by various antivirus software as seen on VirusTotal:



Also, here are some detection and hunting tips if you don't trust your security software:
  • Look for files with "XenArmor All-In-One Password Recovery Pro", "All-In-One Password Recovery Pro" or "Copyright (c) 2021 XenArmor Pvt Ltd, All rights reserved" in metadata.
  • Check for creation events for the folowing files: "XenManager.dll", "license.xenarmor".
  • Search for command line parameters typical for the tool, for example: -a, .html, .json, etc. 

So, if you see activity related to XenArmor All-In-One Password Recovery Pro in your network - investigate thoroughly as it may be a ransomware precursor!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!