overview

Microsoft threat researchers have recently revealed the existence of a new financially motivated Threat Actor, labeled Vanilla Tempest, using a malware strain known as INC to target the healthcare, IT, and manufacturing sectors in the United States.  

Vanilla Tempest does not appear to do it’s own initial access. Rather, a partner organization called Storm-0494 infects a target with GootLoader before handing off to Vanilla Tempest. Vanilla Tempest will then deploy backdoor tools which allow it to infect a target with the INC malware.  

Microsoft believes Vanilla Tempest has been active since July 2022, targeting the same sectors as now with tools like BlackCat, Quantum Locker, and Zepplin. 

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 

Vanilla Tempest 

  • zendesklt[.]com 
  • zen-sso[.]com 
  • www.truecorphr[.]net 
  • www.aflac-hr[.]com 
  • walmartworkspace[.]com 
  • walmartsso[.]com 
  • vz-hr[.]com 
  • usinfo1[.]net 
  • uscellularhr[.]com 
  • uscellular-hr[.]com 
  • uscell[.]net 
  • usccplus[.]com 
  • uscchr[.]com 
  • truecorphr[.]net 
  • temp[.]sh 
  • square-sso[.]com 
  • sinchdev[.]com 
  • sec-sso[.]net 
  • schedule.mgmresorthotels[.]com 
  • roblox-hrs[.]com 
  • rbxhr[.]net 
  • on-sinch[.]com 
  • mgmresorts-okta[.]com 
  • marsh-hr[.]com 
  • linkedinsso[.]com 
  • grubhubsso[.]com 
  • gitlabsso[.]com 
  • gitlabhr[.]com 
  • fireblocks-sso[.]com 
  • costsso[.]com 
  • connect-sso[.]com 
  • cellularsso[.]com 
  • cellularhr[.]com 
  • bn-sso[.]com 
  • bell-hr[.]com 
  • athene-usa[.]com 
  • applesso[.]com 
  • allstate-hr[.]com 
  • aflac-hr[.]com 
  • 216.128.128.163 
  • 195.35.10.222 
  • 162.33.178.245 
  • 149.28.80.155 
  • 149.28.66.216 
  • 104.207.153.50 

GootLoader 

  • my-little-kitchen[.]com 
  • montages[.]no 
  • mediacratia[.]ru 
  • https://www.cobaltstrike[.]com/blog/windows-access-tokens-and-alternate-credentials 
  • https://www.cobaltstrike[.]com/blog/what-happens-when-i-type-getsystem 
  • http://blog.lilianpraskova.cz/xmlrpc.xn--php-9o0a. 
  • http://91.92.136.20:4001 
  • http://91.215.85.143:443 
  • hrclubphilippines[.]com 
  • fb6e4f75763fad6d0e7fe85a563b0c24 
  • f94048917ac75709452040754bb3d1a0aff919f7c2b4b42c5163c7bdb1fbf346 
  • f769cb73317421c290832777c9e14f92 
  • f176ba63b4d68e576b5ba345bec2c7b7 
  • f043898fc9db6985c4ad8bb84669c081cdaa8e6f 
  • ecc7f13c3f0f8d4775e05715810b0164c52b7bd233e4a2e4f5a37769becb0092 
  • ecc0b26106703e129fb1e2ec132c373870c2e7b6 
  • e9fc0203d1dea15dff56a285d0f86b62 
  • e0b568a3e35257cd30b0c42727c3529cef13b081 
  • deb24dfaf8178fda2d070aba9134a30c 
  • daraltanweer[.]com 
  • d53e550b54c08606e19965a9f74bbaa7063e10f1 
  • c853d91501111a873a027bd3b9b4dab9dd940e89fcfec51efbb6f0db0ba6687b 
  • blog.lilianpraskova.cz 
  • be3222219f029b47120390b2b1ad46ae86287e64a1f7228d6b2ffd89345a889e 
  • b939ec9447140804710f0ce2a7d33ec89f758ff8e7caab6ee38fe2446e3ac988 
  • artmodel[.]com.ua 
  • aad75498679aada9ee2179a8824291e3b4781d5683c2fa5b3ec92267ce4a4a33 
  • a88a28c73aa42956c9f9d12585a8de63d4a00e47 
  • a617e6687ab5d747c530b930bb4a3209 
  • 9f9c7b2c8f245e62a08bf5f8a3eb3498 
  • 877515fecc14ed193167e8a20c6b9a684a74564d 
  • 873dd1dcdfcbe9826b274c5880f5be81a878ee93715fbb18a654d9dba61c5dfc 
  • 831955bd05186381a8f15539a41f48166873eab3feb55fb1104202e4152bd507 
  • 7e8543f2bc09bf320510fde5e34e32065339d9d2 
  • 792a95234b01c256019b16a242b9487b99e98ed8a955eaecf1e44b0141aa12f4 
  • 72a589da586844d7f0818ce684948eea 
  • 72076af2ce8df6f8b1121c38f3c3db043c540369 
  • 68dd1a2da732d56b0618f8581502fcf209b1c828c97d05f239c98d55bb78b562 
  • 4f4ee823a8c7e2511f05b3ea633c0d2c 
  • 49145e436aa571021bb1c7b727f8b049 
  • 40c40495434bf987b04f0742c3e9201189675d87a042aa72abbd0084c3de66d8 
  • 3cf851eb09c934cafe9b98d4706f903dff804b0c 
  • 25b38e45df3cd215386077850c59be07 
  • 1b8b4f05058ac39091b99cc153ab00c0 

 

TTPs TO MONITOR

This threat actor is known to employ double-extortion tactics. In addition to a standard ransomware attack, extorting money from a victim to unencrypt data, they also make it a practice to exfiltrate as much data as possible and threaten to release it publicly if the victim does not pay an additional ransom.  

Persistence:
  • Registry Run Keys/Startup Folder (T1547.001): They use these keys to maintain persistence across reboots. 
  • DLL Side-Loading (T1574.002): They leverage legitimate applications to load malicious DLLs. 
2. Defense Evasion:
  • Masquerading (T1036): Vice Society disguises its malware as legitimate software to evade detection. 
  • Process Injection (T1055): They inject malicious code into legitimate processes to avoid security software. 

3. Exfiltration: 

  • Exfiltration Over Web Service (T1567): They use PowerShell scripts to exfiltrate data to external servers before encryption. 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector 

Microsoft: US Healthcare Sector Targeted by INC Ransomware Affiliate \

 

Chat With One of Our Experts




microsoft Flash Notice Critical Vulnerability Vice Society Vanilla Tempest Blog