Attackers managed to deploy infostealer: In this attack, the Balloonfly group didn’t get to the stage of deploying the Play ransomware, as that is usually one of the final stages when attackers have control over significant parts of the network for maximum damage. However, the group did deploy an infostealer called Grixba that’s usually part of its toolset.Grixba is a custom tool written in .NET that’s used exclusively by the Play ransomware gang in early stages of their attacks to gather information about the compromised systems, their configured services, processes, users and software running on them, including a wide range of security and backup programs, remote administration tools and more.In addition to Grixba, the attackers also deployed other tools during this attack that Symantec researchers were not able to recover. However, one interesting aspect is that these tools had names masquerading as software from Palo Alto Networks paloaltoconfig.exe and paloaltoconfig.dll.The attackers also executed PowerShell commands to gather information about other systems in the victim organization’s Active Directory, a reconnaissance activity that often predates lateral movement attempts.Even though they were not able to recover all payloads, Symantec researchers were able to recover the names and file hashes for most of them, which are shared in the report as indicators of compromise and can be used to build detections and threat hunting queries.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3980437/windows-flaw-exploited-as-zero-day-by-more-groups-than-previously-thought.html
