The DFIR Report

Threat Actors are "Bringing Their Own Forensics"

In a recent ClickFix campaign, we saw threat actors likely related to Interlock Ransomware, running Volatility (https://vol.py) directly on victim machines.

Commonly a tool for defenders, the threat actors are using it to:

➡️Dump RAM: Capturing mem.raw from the infected host.
➡️Extract Hashes: Using windows.hashdump to pull NTLM hashes.
➡️Steal Credentials: Using windows.cachedump to extract cached creds.

Mar 19 at 5:17pmWeb
Show threadThe DFIR Report4d ago

The Flow: A fake "Verify You Are Human" prompt leads to Node.js C2 (interlock RAT), followed by hands-on-keyboard activity where they use vol.exe from \AppData\Local\Temp\ to harvest credentials.

Defender Tip: Monitor for vol.exe or python.exe interacting with memory dump files in user temp folders. If you see Hashdump in your logs and it isn't your IR team... you have a live intrusion.

Want more info? Get in touch!

#CyberSecurity #Ransomware #BlueTeam #DFIR #Interlock #Infosec

Show threadSajid Nawaz Khan 4d ago
@TheDFIRReport Will this eventually be published as a Private Report? 🤲🏼