SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Vice Society group exploiting PrintNightmare in recent ransomware attacks
Description: Another threat actor is actively exploiting the so-called PrintNightmare vulnerability (CVE-2021-1675 / CVE-2021-34527) in Windows' print spooler service to spread laterally across a victim's network as part of a recent ransomware attack, according to Cisco Talos Incident Response research. While previous research found that other threat actors had been exploiting this vulnerability, this appears to be new for the threat actor Vice Society. Talos Incident Response's research demonstrates that multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward. For defenders, it is important to understand the attack lifecycle leading up to the deployment of ransomware. If users have not already, they should download the latest patch for PrintNightmare from Microsoft.
Snort SIDs: 57876, 57877
Title: Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Description: Group TA505 has been active for at least seven years, making wide-ranging connections with other threat actors involved in ransomware, stealing credit card numbers and exfiltrating data. One of the common tools in TA505's arsenal is ServHelper. In mid-June, Cisco Talos detected an increase in ServHelper's activity. We investigated the activity and discovered a set of intertwined malware families and TTPs. Although ServHelper has existed since at least early 2019, we detected the use of other malware families to install it. The installation comes as a GoLang dropper, .NET dropper or PowerShell script. Its activity is generally linked to Group TA505, but we cannot be certain that they are the exclusive users of this RAT.
Snort SID: 57975
ClamAV signatures: Win.Downloader.Powershell-9883640, Win.Trojan.Powershell-9883642, Win.Downloader.Powershell-9883641, Win.Downloader.ServHelper-9883708, Win.Downloader.Powershell-9883847, Win.Trojan.ServHelper-9883848, Win.Trojan.ServHelper-9883866, Win.Trojan.ServHelper-9883867