Cybersecurity experts from Symantec have reported that extortion group, Play, has developed two new tools to maximise its efficiency in carrying out cyber-attacks. The tools, Grixba and VSS Copying Tool, have been specifically designed to allow attackers to increase the damage they inflict on compromised systems.
Grixba operates by scanning networks and stealing information so that users and computers in the domain can be transferred across. It also supports a “scanning” mode, identifying WMI, WinRM, a remote register and remote services to determine what is going on with network devices. Grixba checks not only for the presence of antivirus programs and safety tools, EDR solutions, backup tools and remote administration tools, but also reviews the accessibility of ordinary office applications and DirectX. The tool saves all collected data in compressed CSV files, delivering the information to the C2 servers of attackers.
The second tool, VSS Copying, interacts with the shadow copying service (VSS) through API calls, using the connected .NET bibliotexes Alphavss. It allows Play to surreptitiously remove files from existing shadow copies of volumes, even when they are seemingly protected by applications.
Both Grixba and VSS Copying Tool were created with .NET development tool Costura, which offers the benefit of creating autonomous executable files without the addiction of additional software. This makes it easier for hackers to compromise systems with malicious software.
The Play group, notorious for its disruptive activities, has recently claimed responsibility for a cyber-attack on the American city of Auckland, which significantly damaged public IT systems. Local authorities responded by declaring a state of emergency. Additionally, in January, Play hackers accessed the email accounts of some customers of RackSpace through the use of a zero-day exploit.
Tools Created by Play Extortion Group |
---|
Symantec experts confirm two new tools have been used to increase the raids inflicted by hacking group, Play, in their cyber attacks. Grixba and VSS Copying Tool have been specifically created to enable attackers to attain any vulnerable information available on compromised systems, allowing them to make difficult files accessible. |
Grixba operates via network scanning and stealing of anybody or any computers in the domain which allows them to transfer the data to their other servers. Additionally, it has a “scanning” tool that works with remote administrator software like WMI, WinRM, remote register and remote services to determine the working network devices. Furthermore, Grixba identifies the presence or absence of backup tools, |