386. Ransomware Affiliates Abuse Bandizip for Data Collection

Hello everyone!

Today we’re going to talk about collecting data from compromised systems, and we’ll look at an example of the technique Archive Collected Data: Archive via Utility (T1560.001).

The example comes from a Microsoft Threat Intelligence report on the activity of the Storm-1175 cluster, which is associated with the distribution of the Medusa ransomware. Despite the attackers using zero-day vulnerabilities to gain initial access, most of their tactics, techniques, and procedures were fairly trivial.

Nevertheless, one of the tools caught my attention. To collect data for later publication on DLS, the attackers used Bandizip — a legitimate file archiving tool.

This tool is not encountered very often and is quite suitable for proactive hunting, for example:

event_type: "processcreatewin"

AND

proc_file_productname: "bandzip"

See you soon!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access