020. Play Ransomware Gang's Reconnaissance Tool Looks Like Legitimate Security Software
Hello everyone! Field Effect presented a report on Grixba - a notorious reconnaissance tool used by Play ransomware affiliates.
The tool allows adversaries to collect information about remote systems, installed software (including security, backup and remoste access software), browser history, processes, network, etc.
An interesting thing about this version of the tool - it's designed to look like SentinelOne Compabilty Wizard! At the same time, it's not signed, and it gives us a good detection opportunity:
It's not the first time Play ransomware affiliates used Grixba masquaraded like this. Trend Micro also spotted similar version of the tool during one of their incident response engagements.
Reconnaissance tools and techniques are extremely common, so it's great point to focus on to stop attacks on early stages.See you tomorrow!
Comments
Post a Comment