From Gootloader to Ransomware Impact, Tracing Vanilla Tempest's Ransomware Techniques

Vanilla Tempest, also recognized by the aliases DEV-0832 and Vice Society, has been active since July 2022, conducting cyberattacks most recently against the healthcare sector, with a history of affecting industries such as education, manufacturing, and information technology as well. Microsoft shared the latest intelligence on this financially motivated threat actor through a series of posts on X. Their ransomware attacks have included a diverse arsenal of payloads like ALPHV/BlackCat, Hello Kitty/Five Hands, Quantum Locker, Rhysida, Zeppelin, and most recently, INC. Interestingly, Microsoft researchers have noted that these activities were facilitated through a partnership with Storm-0494, which provides initial network access by leveraging the Gootloader malware.

The attack chain deployed by Vanilla Tempest following the Gootloader infection has involved the use of the Supper backdoor, alongside legitimate tools such as AnyDesk for remote monitoring and management (RMM) and MEGA for data synchronization and exfiltration. Subsequent stages of the attack involve lateral movement facilitated by Remote Desktop Protocol (RDP) and the abuse of the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.