Pygmy Goat uses the LD_PRELOAD environment variable to inject itself into the sshd process, ensuring it’s loaded and executed whenever the SSH daemon starts.
Tag: T1040
It’s Not Safe To Pay SafePay
The threat actor initiated the attack by disabling Windows Defender’s real-time protection and automatic file submission. They then proceeded to discover network shares using a PowerShell script. Sensitive data was collected and archived using WinRAR. Subsequently, they employed a UAC bypass technique involving COM objects to gain elevated privileges. Finally, the SafePay ransomware was deployed to encrypt files on the target system.