Cyber Press reports:
Cisco Talos has identified a sophisticated technique employed by the Qilin ransomware group, in which threat actors leverage legitimate Windows utilities, specifically MSPaint and Notepad, to inspect and locate high-sensitivity information across compromised networks manually.
[…]
During the credential access and exfiltration phase, attackers execute a comprehensive credential-harvesting workflow using tools such as Mimikatz, NirSoft password recovery utilities, and custom scripts.
Following successful credential collection, they package targeted data using WinRAR with specific command-line arguments configured to exclude base folders and prevent recursive subdirectory processing.
The attackers then manually browse file systems using notepad.exe and mspaint.exe, examining numerous files to identify sensitive information worthy of exfiltration.
Read more at Cyber Press.
