Blackhats Steal NTLMv2 Hashes from Compromised Windows Using PowerShell

A novel cyberattack operation utilizes the advantage of the PowerShell script linked to a genuine red teaming tool in order to steal NTLMv2 hashes from Windows systems that have been infected, mostly in Australia, Poland, and Belgium.

Zscaler ThreatLabz has adopted the codename Steal-It for its operations.

Security researchers Niraj Shivtarkar and Avinash Kumar described the campaign as follows: “The threat actors use customized versions of Nishang’s Start-CaptureServer PowerShell script to steal and exfiltrate NTLMv2 hashes. They then execute various system commands and exfiltrate the retrieved data via Mockbin APIs.”

Nishang is a platform and set of payloads and PowerShell scripts designed for penetration testing, offensive security, and red teaming.

According to the researchers, “the threat actors’ strategic use of LNK files within ZIP archives and custom PowerShell scripts highlights their technical expertise.” “The persistence preserved by renaming and moving files from the Downloads to Startup folder highlights the threat actors’ commitment to extended access.”

(Score: 29) - 4.4/5