216.73.217.139

Play Ransomware impersonates SentinelOne for stealth recon

· Published 17/01/2025 15:07 · Modified 17/01/2025 15:23

Export JSON

Essential information

Published
17/01/2025 15:07
Modified
17/01/2025 15:23
Tags
.net 2025-01-17 grixba obfuscation play ransomware rdp reconnaissance sentinelone impersonation xor encryption
Related entities
4 observables, 1 intrusion sets (apt), 15 techniques (mitre), 2 malware

Description

A attack involving a tool called was detected and prevented. The attack began with the deployment of via to a Windows server. The file was disguised as legitimate SentinelOne software, a new tactic for the group. is an obfuscated .NET-based application that uses encoded command line arguments and an XOR key to decrypt its contents. The tool performs various scanning operations, storing results in a password-protected zip file. The scan data is organized into 18 tables, providing detailed information about the target environment. This enables precision targeting and amplifies the impact of subsequent attacks. Early detection of such tools is crucial for disrupting the attack chain and mitigating risks.

External references