NirSoft tools are free, lightweight, and portable Windows utilities created by Nir Sofer developers. Their applications are primarily used for password recovery, network monitoring, system troubleshooting, digital forensics and so on.However, recent threat intelligence indicates that multiple ransomware operators are using specific Nirsoft tools to retrieve passwords, browser history, cookies etc. and carry forward the attack. Below are the example of such tools,
"netpass.exe", "netpass64.exe","webbrowserpassview.exe","routerpassview.exe", "credentialsfileview.exe","dataprotectiondecryptor.exe","encryptedregview.exe","vaultpasswordview.exe","mailpv.exe", "wirelesskeyview.exe","sniffpass.exe","rdpv.exe","pspv.exe", "vncpassview.exe","BulletsPassView64.exe","Dialupass.exe","mspass.exe","NetRouteView.exe","WirelessKeyView64.exe","BulletsPassView.exe","BypassCredGuard.exe","ChromePass.exe", "iepv.exe","OperaPassView.exe","PasswordFox.exe","PasswordFox64.exe","SCOMDecrypt.exe","SharpDecryptPwd.exe","pstpassword.exe","skypelogview.exe","chromecookiesview.exe", "lsasecretsview.exe","ExtPassword.exe","OutlookAccountsView.exe","OutlookAccountsView64.exe","SniffPass64.exe","WinMailPassRec.exe","WinMailPassRec64.exe","BrowsingHistoryView.exe","ServiWin.exe","SocketSniff.exe","PasswordScan.exe","ProduKey.exe","WirelessNetView.exe","EdgeCookiesView.exe"
Threat Overview
Observed Abuse
Attackers have been leveraging Nirsoft tools in various ransomware campaigns including but not limited to,
Threat research teams at Broadcom have observed multiple pre-ransomware activities involving Nirsoft tools where it was used to retrieve passwords, browser history, cookies, thereby enabling:
Action Plan
If any customer wishes to use the tool, provide instructions to exclude the Nirsoft detections using: