Novel PowerShell data theft script leveraged in Vice Society attacks

BleepingComputer reports that the Vice Society ransomware operation has been using an advanced fully automated PowerShell script to facilitate data exfiltration activities. Aside from leveraging PowerShell for automated data theft, the new tool also has four functions used for determining directories where data could potentially be exfiltrated, processing directory groups, and stealing data, a report from Palo Alto Networks Unit 42 revealed. "The script does not require any arguments, as the onus of what files to copy out of the network is left to the script itself," said Unit 42. Folders with more than 433 strings in English, German, Lithuanian, Portuguese, Polish, and Luxembourgish are being targeted by the script, but files smaller than 10 KB and those lacking a file extension, as well as those from folders with strings for the Windows operating system, program installation, and backup folders, have been excluded for data exfiltration, said researchers. The report also noted the script's use of 'living off the land' tools to ensure stealth.