According to researchers with Sophos Managed Threat Response, the operators behind Maze ransomware have been adopting tactics from rival cybercrime organizations, adding a dangerous new feature. Maze ransomware can now distribute ransomware payloads through virtual machines. According to researchers, this is a “radical” approach that aims to avoid endpoint defense.
The Maze operators were recently observed by cybersecurity researchers distributing malware in the form of a VirtualBox virtual disk image within a Windows MSI file. This type of file is a format utilized for the installation and removal of programs on a device. The attackers used a stripped-down, decades-old copy of the VirtualBox hypervisor. The file appears to be trusted by the virtual machine, allowing it to then run the software, helping the ransomware to avoid detection.
Read More: Maze Ransomware Adopts Ragnar Locker Virtual-Machine Approach