Play Ransomware impersonates SentinelOne for stealth recon
Essential information
- Published
- 17/01/2025 15:07
- Modified
- 17/01/2025 15:23
- Tags
- .net 2025-01-17 grixba obfuscation play ransomware rdp reconnaissance sentinelone impersonation xor encryption
- Related entities
- 4 observables, 1 intrusion sets (apt), 15 techniques (mitre), 2 malware
Description
A Play ransomware attack involving a reconnaissance tool called Grixba was detected and prevented. The attack began with the deployment of Grixba via RDP to a Windows server. The Grixba file was disguised as legitimate SentinelOne software, a new tactic for the group. Grixba is an obfuscated .NET-based application that uses encoded command line arguments and an XOR key to decrypt its contents. The tool performs various scanning operations, storing results in a password-protected zip file. The scan data is organized into 18 tables, providing detailed information about the target environment. This reconnaissance enables precision targeting and amplifies the impact of subsequent ransomware attacks. Early detection of such tools is crucial for disrupting the attack chain and mitigating risks.