006. They Will Steal All Passwords from Any App with This Tool
Hello everyone! As you know, almost any attack includes credential access stage. I think, many of you are well aware of tools like Mimikatz or LaZagne. But threat actors may be much more creative in their attempts to obtain credential material.
For example, recently we saw threat actors, involved in ransomware attacks in CIS, actively used XenArmor All-In-One Password Recovery Pro. It's a legitimate tool for password recovery, which allows to recover data from 270+ various applications. Not bad, right?
Of course, it's used beyond CIS as well. For example, it was used by a ransomware gang behind AvosLocker. Also, it's widely used as a malware module, for example, XWorm.
Currently, it's detected quite well by various antivirus software as seen on VirusTotal:
- Look for files with "XenArmor All-In-One Password Recovery Pro", "All-In-One Password Recovery Pro" or "Copyright (c) 2021 XenArmor Pvt Ltd, All rights reserved" in metadata.
- Check for creation events for the folowing files: "XenManager.dll", "license.xenarmor".
- Search for command line parameters typical for the tool, for example: -a, .html, .json, etc.
So, if you see activity related to XenArmor All-In-One Password Recovery Pro in your network - investigate thoroughly as it may be a ransomware precursor!
See you tomorrow!
Comments
Post a Comment