These arent the rclones youve been looking for...

I recently came across an interesting technique used by many different ransomware groups that is used for data exfiltration. In this current age of ransomware, it is becoming more common to see double and sometimes triple extortion, where they are exfiltrating the data out before encrypting so as to have some leverage should the company not decide to pay up. One such tool being used is called Rclone https://rclone.org/ What is interesting about this tool, it's a self contained executable and doesnt have to be installed on Windows. You simply download the zip file, unzip it and you can start using it.

Its strength lies in being able to communicate and upload to a large number of cloud storages via command line. A list of all the ones they currently support is found here: https://rclone.org/docs/ One of the ones I tested recently was its connection to Mega.io.

If a company isnt blocking outbound to these cloud storages, they run the risk of easy data exfil via this tool. To set it up for use with Mega, first you would sign up for an account at mega.io. Next you would navigate to your rclone.exe via command line and do the following:





During this setup it would ask you a series of questions such as:





So essentially you just provide it with the username and password for the Mega account and then test the connection with this command:




It was discovered recently that a Conti affiliate leaked their "playbook" which gave us good insight into the tools and techniques a ransomware group like Conti uses in their attacks. Here is a snippet about Rclone from their manual



You can see here that they simply transferred files to their Mega account via this tool. We see a lot of companies getting breached lately and one would wonder if they know of these tactics (maybe from someone in the threat intel team alerting them to this sort of thing constantly...) but they never actually take the steps to setup monitoring for usage of this tool in their network or blocking well known cloud storage. It will take a massive data dump publicly leaked for these companies to wake up and start practicing Active Defense.

Comments

Popular posts from this blog

Channel Update 6/9/2022