Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

How Low-level Hackers Access High-end Malware

Hacking tool downloads from underground forums are increasing, and the tools are becoming more sophisticated; low-level hackers are gaining access to hacked versions of sophisticated tools; access broking is growing; and existing tools are repurposed for more aggressive attacks.

Hacking tool downloads from underground forums are increasing, and the tools are becoming more sophisticated; low-level hackers are gaining access to hacked versions of sophisticated tools; access broking is growing; and existing tools are repurposed for more aggressive attacks.

An example of hacked malware was discovered when researchers detected a user downloading a cracked copy of the credential stuffing tool Sentry MBA from a Turkish-language cracking forum. Sentry MBA includes features to bypass website security controls, such as CAPTCHA challenges and web application firewalls. “Threat actors,” say researchers in the HP Wolf Security Threat Insights Report for 1H/2021 (PDF), “can either use pre-bundled optical character recognition (OCR), computer vision models, or configure the tool to query the APIs of third-party CAPTCHA-solving services during an attack.” 

The process illustrates how low-level hackers can access and use high-level malware. “A big driver of why hacking tools are so easy to obtain,” say the researchers, “is widespread malware piracy or ‘cracking’, enabling anyone to use tools without payment – even if developers intended otherwise.” 

Dr. Ian Pratt, global head of security, personal systems at HP Inc, added, “The proliferation of pirated hacking tools and underground forums is allowing previously low-level actors to pose serious risks to enterprise security. Simultaneously, users continue to fall prey to simple phishing attacks time and time again.”

The only thing not emerging from the researchers’ new threat insight report is any reduction in malicious activity – although it does seem that the COVID-19 themed phishing campaigns are finally abating. “Less than 1% of isolated emails used COVID-19 as a lure,” notes the report. 

Currently, almost half of all phishing lures are based on business transactions. One campaign discovered by the researchers in January 2021 used disguised job applications with an attached resume, primarily targeting businesses in Chile, Italy, Japan, Pakistan, Philippines, UK, and US. The attachment exploited the Microsoft Equation Editor vulnerability (CVE-2017-11882). If successful, it dropped the Remcos RAT.

Before the takedown of Emotet in late January 2021, the researchers saw Emotet campaigns targeting Japanese organizations using lures from stolen email threads. Email thread hijacking was used in 15% of all phishing lures during the first half of 2021. 

Emotet had increasingly become a delivery mechanism for other malware. This same process is now visible with CryptBot. Originally an information stealer, a May 2021 campaign discovered it being used to deliver the DanaBot banking trojan associated with the TA547 threat group.

Advertisement. Scroll to continue reading.

Emotet has now been replaced by Dridex as the most prevalent malware family. This is followed by Agent Tesla, although Emotet clings on at number three. The Microsoft Equation Editor vulnerability is, according to the HP Wolf researchers, by far the most exploited vulnerability, with a 24% increase in H1/2021 over H2/2020.

The researchers also saw an increase in the use of the Purple Fox exploit kit. One sample captured in April 2021 attempted to exploit a memory corruption vulnerability in Internet Explorer (CVE-2021-26411, patched in early March 2021). Exploit PoC code for this vulnerability was released in mid-March 2021, and code similar to the PoC was found in Purple Fox in April – “meaning,” say the researchers, “organizations only had a small window to patch before risking compromise by Purple Fox.”

“As cybercrime becomes more organized,” says Pratt, “and smaller players can easily obtain effective tools and monetize attacks by selling on access, there’s no such thing as a minor breach. The endpoint continues to be a huge focus for cybercriminals. Their techniques are getting more sophisticated, so it’s more important than ever to have comprehensive and resilient endpoint infrastructure and cyber defense.”

Related: Europol Report Highlights Pandemic’s Effect on Cybercrime

Related: UK Spy Agency Releases Annual Threat Report

Related: Scans for Vulnerable Exchange Servers Started 5 Mins After Disclosure of Flaws

Related: Exploits for MS Office Flaws Most Popular in Q1 2021

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...