Play Ransomware impersonates SentinelOne for stealth recon

Jan. 17, 2025, 3:23 p.m.

Description

A Play ransomware attack involving a reconnaissance tool called Grixba was detected and prevented. The attack began with the deployment of Grixba via RDP to a Windows server. The Grixba file was disguised as legitimate SentinelOne software, a new tactic for the group. Grixba is an obfuscated .NET-based application that uses encoded command line arguments and an XOR key to decrypt its contents. The tool performs various scanning operations, storing results in a password-protected zip file. The scan data is organized into 18 tables, providing detailed information about the target environment. This reconnaissance enables precision targeting and amplifies the impact of subsequent ransomware attacks. Early detection of such tools is crucial for disrupting the attack chain and mitigating risks.

External References

https://fieldeffect.com/blog/grixba-play-ransomware-impersonates-sentinelone
https://otx.alienvault.com/pulse/678a721f16a7938c950928dd
Tags
obfuscation
ransomware
.net
rdp
reconnaissance
grixba
play
2025-01-17
sentinelone impersonation
xor encryption

Date

  • Created: Jan. 17, 2025, 3:07 p.m.
  • Published: Jan. 17, 2025, 3:07 p.m.
  • Modified: Jan. 17, 2025, 3:23 p.m.

Indicators

  • b4505ab44108e27d8a5311fe5ba32e2db88e70f0084b5c0b0b903e5b98f904b7
  • 5922b1a7172bd60b1353f2a3c4de2a03efba8d57d0f696d00868d4ef6fcbc218
  • 3621468d188d4c3e2c6dfe3e9ddcfe3894701666bad918bc195aba0c44e46e94
  • 84.239.41.12
Download all indicators here!

Attack Patterns

  • Grixba
  • Play
  • Play