Detection and Blocking of Nirsoft tool as Hacktool.Nirsoft
search cancel

Detection and Blocking of Nirsoft tool as Hacktool.Nirsoft

book

Article ID: 445443

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Protection Cloud Carbon Black Cloud Endpoint Standard Carbon Black EDR CloudSOC Data Retention

Issue/Introduction

NirSoft tools are free, lightweight, and portable Windows utilities created by Nir Sofer developers. Their applications are primarily used for password recovery, network monitoring, system troubleshooting, digital forensics and so on.However, recent threat intelligence indicates that multiple ransomware operators are using specific Nirsoft tools to retrieve passwords, browser history, cookies etc. and carry forward the attack. Below are the example of such tools,

"netpass.exe", "netpass64.exe","webbrowserpassview.exe","routerpassview.exe", "credentialsfileview.exe","dataprotectiondecryptor.exe","encryptedregview.exe","vaultpasswordview.exe","mailpv.exe", "wirelesskeyview.exe","sniffpass.exe","rdpv.exe","pspv.exe", "vncpassview.exe","BulletsPassView64.exe","Dialupass.exe","mspass.exe","NetRouteView.exe","WirelessKeyView64.exe","BulletsPassView.exe","BypassCredGuard.exe","ChromePass.exe", "iepv.exe","OperaPassView.exe","PasswordFox.exe","PasswordFox64.exe","SCOMDecrypt.exe","SharpDecryptPwd.exe","pstpassword.exe","skypelogview.exe","chromecookiesview.exe", "lsasecretsview.exe","ExtPassword.exe","OutlookAccountsView.exe","OutlookAccountsView64.exe","SniffPass64.exe","WinMailPassRec.exe","WinMailPassRec64.exe","BrowsingHistoryView.exe","ServiWin.exe","SocketSniff.exe","PasswordScan.exe","ProduKey.exe","WirelessNetView.exe","EdgeCookiesView.exe"

Threat Overview

Observed Abuse

Attackers have been leveraging Nirsoft tools in various ransomware campaigns including but not limited to,

  • Akira
  • Backmydata
  • Beast
  • Bert
  • DeadLock
  • GodDamn
  • Hive
  • LockBit
  • Mimic
  • Monster
  • Noberus
  • Phobos
  • Play
  • Proton
  • Qilin
  • RansomHub
  • Royal
  • Snatch
  • Sodinokibi
  • Trigona

Threat research teams at Broadcom have observed multiple pre-ransomware activities involving Nirsoft tools where it was used to retrieve passwords, browser history, cookies, thereby enabling:

  • Ransomware deployment
  • Data exfiltration
  • Secondary malware deployment

Resolution

Action Plan

    1. Blocking Implementation
      1. Nirsoft will be blocked statically using the VID/sig/signature: Hacktool.Nirsoft.
      2. Nirsoft will be blocked dynamically using the VID/sig/signature: SONAR.SuspLaunch!g548, SONAR.SuspLaunch!g637.
      3. Reputation-based changes and SDS blocking will extend protection to CB (Carbon Black) customers as well.
    1. Customer Communication
      1. Nirsoft will be blocked statically using the VID/sig/signature: Hacktool.Nirsoft.
      2. Nirsoft will be blocked dynamically using the VID/sig/signature: SONAR.SuspLaunch!g548, SONAR.SuspLaunch!g637.
      3. Reputation-based changes and SDS blocking will extend protection to CB (Carbon Black) users as well.

If any customer wishes to use the tool, provide instructions to exclude the Nirsoft detections using:

  • Hash-based exclusion, or
  • VID (Hacktool.Nirsoft /SONAR.SuspLaunch!g548, SONAR.SuspLaunch!g637 ) exclusion

Additional Information

Related Articles:- 

Application Exception (SEP)
Adding Allow List policy scan exceptions (SES)
Setting up Exclusions in the Carbon Black Cloud Console for AV Products