Separately, Palo Alto Networks issued an informational security advisory discussing Rorschach ransomware operators using the Cortex XDR Dump Service Tool (cydump.exe) to load untrusted dynamic link libraries (DLLs) using DLL-sideloading. This is true only when the tool is removed from its installation directory; it is not possible to side-load DLLs when Cortex XDR agent is installed on Windows and is running from the installation path because Cortex XDR’s security permissions and protections prevent it. In the advisory, Palo Alto verified that Cortex XDR 7.7, and newer versions, with content update version 240 (released Nov 2021), and later content updates, detect and block the ransomware. New versions of Cortex XDR agent, capable of blocking the DLL side-loading technique, will be released next week to prevent future misuse of the software. Mac OS and Linux platforms are not affected by this issue. 

—

Security researchers have discovered a new ransomware strain, called Rorschach, with unique technical features. The malware is deployed using the dynamic link library (DLL) side-loading technique via a signed component in Cortex XDR, a threat detection and incident response tool from Palo Alto Networks.