Posts
These arent the rclones youve been looking for...
I recently came across an interesting technique used by many different ransomware groups that is used for data exfiltration. In this current age of ransomware, it is becoming more common to see double and sometimes triple extortion, where they are exfiltrating the data out before encrypting so as to have some leverage should the company not decide to pay up. One such tool being used is called Rclone https://rclone.org/ What is interesting about this tool, it's a self contained executable and doesnt have to be installed on Windows. You simply download the zip file, unzip it and you can start using it.
Its strength lies in being able to communicate and upload to a large number of cloud storages via command line. A list of all the ones they currently support is found here: https://rclone.org/docs/ One of the ones I tested recently was its connection to Mega.io.
If a company isnt blocking outbound to these cloud storages, they run the risk of easy data exfil via this tool. To set it up for use with Mega, first you would sign up for an account at mega.io. Next you would navigate to your rclone.exe via command line and do the following:
During this setup it would ask you a series of questions such as:
So essentially you just provide it with the username and password for the Mega account and then test the connection with this command:
It was discovered recently that a Conti affiliate leaked their "playbook" which gave us good insight into the tools and techniques a ransomware group like Conti uses in their attacks. Here is a snippet about Rclone from their manual
Comments
Post a Comment