Data-Exfiltrator: A New Tactic for Ransomware Adversaries
released on 2021-07-16 @ 07:30:03 AM
Ransomware operators have added a specific type of malware to perform this exfiltration to their intrusion set. The malware follows the exfiltration with a single line PowerShell command that stops the malware's running process and then deletes the malware file that was executed. The malware has a type of anti-analysis behavior called "Relocate API Code". The malware reads a copy of system DLLs into memory and resolves imports from there. This causes a problem for debuggers such as x64dbg.