Trend Micro telemetry links Vice Society to manufacturing attacks and notes the group has evolved from using known ransomware variants to developing a custom ransomware builder, potentially hinting at a ransomware-as-a-service model. The group continues to employ tools like Cobalt Strike, Rubeus, and Mimikatz, and has targeted multiple regions with activity observed in Brazil, Argentina, Switzerland, and Israel. #ViceSociety #Zeppelin #HelloKitty #FiveHands #CobaltStrike #Rubeus #Mimikatz #Neshta #PrintNightmare
Keypoints
- Vice Society expanded beyond education and healthcare to include manufacturing, with activity detected in Brazil, Argentina, Switzerland, and Israel.
- The group has developed a custom ransomware builder and may be moving toward ransomware-as-a-service (RaaS).
- Attack chain likely starts with exploitation of a public-facing website or abuse of compromised RDP credentials, with Cobalt Strike used for remote access.
- Mimikatz was used for credential dumping and Rubeus was used for Kerberos abuse, enabling lateral movement.
- Administrators are created on endpoints, antivirus/defenses are disabled, and files are exfiltrated before deploying the custom ransomware and dropping a ransom note with a .v1cesO0ciety extension.
- Logs and traces (e.g., event viewers, RDP session traces) are cleared, and the malware even deletes itself to cover tracks.
- Trend Micro recommends a multilayer defense approach using Vision One, Cloud One Workload Security, Deep Discovery Email Inspector, and Apex One to detect and block at multiple stages.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Arrival vector likely involves the exploitation of a public-facing website or abuse of compromised remote desktop protocol (RDP) credentials. Quote: “The arrival vector likely involves the exploitation of a public-facing website or abuse of compromised remote desktop protocol (RDP) credentials.”
- [T1133] External Remote Services – Abuse of compromised RDP credentials to access systems. Quote: “The arrival vector likely involves the exploitation of a public-facing website or abuse of compromised remote desktop protocol (RDP) credentials.”
- [T1059.001] PowerShell – Execution of a PowerShell script to enable admin access and drop ransomware. Quote: “Executed a PowerShell script to create an administrator account that allows for the remote access of other endpoints and to terminate several processes such as running security software before dropping the custom-built ransomware.”
- [T1021] Remote Services – Cobalt Strike used to remotely access and control infected endpoints. Quote: “The weaponized tool used by Vice Society is Cobalt Strike, which allows the group to remotely access and control the infected endpoint.”
- [T1550.003] Kerberos Tickets – Rubeus toolset for raw Kerberos interaction and abuse. Quote: “The threat actor also used the Rubeus C# toolset for raw Kerberos interaction and abuse.”
- [T1003.001] Credential Dumping – Use of Mimikatz to dump passwords. Quote: “Deployed Mimikatz” and later, “Mimikatz was used to dump passwords.”
- [T1136] Create Account – Administrator accounts created on endpoints and added to Administrators/Remote Desktop Users groups. Quote: “Created Administrator account on each endpoint, add to Administrators and Remote Desktop Users localgroup.”
- [T1070.001] Clear Windows Event Logs – Clearing event viewer logs and remote session traces. Quote: “Event viewer logs and remote session traces such as RDP and terminal services were cleared.”
- [T1070.004] File Deletion – Self-deletion of the malware from the system. Quote: “Deleted itself from the system.”
- [T1041] Exfiltration – Exfiltration of important files. Quote: “Exfiltrated important files.”
- [T1486] Data Encrypted for Impact – Files encrypted and ransom note dropped with a unique extension. Quote: “Vice Society ransomware routine is performed (files are encrypted, ransom note with email contacts is dropped and files are appended with the extension .v1cesO0ciety)”
Indicators of Compromise
- [Domain] 57thandnormal[.]com – C2 domain observed during infection
- [File path] C:mntsmile.exe – entry or deployment path
- [File path] C:windowstempsvchost.exe – script or payload deployed from Temp
- [File path] C:ProgramDatatoolkiit{redacted}outputC$Recycle.Bin{redacted}$RY0DNVE.exe – additional on-disk artifact
- [File] svchost.exe – used in multiple endpoints to drop or run components
- [Registry] HKLMSoftwarePoliciesMicrosoftWindows DefenderDisableAntiVirus – 1 and HKLMSoftwarePoliciesMicrosoftWindows DefenderDisableAntiSpyware – 1 – used to disable security tooling