Security Experts:

How Low-level Hackers Access High-end Malware

Hacking tool downloads from underground forums are increasing, and the tools are becoming more sophisticated; low-level hackers are gaining access to hacked versions of sophisticated tools; access broking is growing; and existing tools are repurposed for more aggressive attacks.

An example of hacked malware was discovered when researchers detected a user downloading a cracked copy of the credential stuffing tool Sentry MBA from a Turkish-language cracking forum. Sentry MBA includes features to bypass website security controls, such as CAPTCHA challenges and web application firewalls. “Threat actors,” say researchers in the HP Wolf Security Threat Insights Report for 1H/2021 (PDF), “can either use pre-bundled optical character recognition (OCR), computer vision models, or configure the tool to query the APIs of third-party CAPTCHA-solving services during an attack.” 

The process illustrates how low-level hackers can access and use high-level malware. “A big driver of why hacking tools are so easy to obtain,” say the researchers, “is widespread malware piracy or ‘cracking’, enabling anyone to use tools without payment – even if developers intended otherwise.” 

Dr. Ian Pratt, global head of security, personal systems at HP Inc, added, “The proliferation of pirated hacking tools and underground forums is allowing previously low-level actors to pose serious risks to enterprise security. Simultaneously, users continue to fall prey to simple phishing attacks time and time again.”

The only thing not emerging from the researchers’ new threat insight report is any reduction in malicious activity – although it does seem that the COVID-19 themed phishing campaigns are finally abating. “Less than 1% of isolated emails used COVID-19 as a lure,” notes the report. 

Currently, almost half of all phishing lures are based on business transactions. One campaign discovered by the researchers in January 2021 used disguised job applications with an attached resume, primarily targeting businesses in Chile, Italy, Japan, Pakistan, Philippines, UK, and US. The attachment exploited the Microsoft Equation Editor vulnerability (CVE-2017-11882). If successful, it dropped the Remcos RAT.

Before the takedown of Emotet in late January 2021, the researchers saw Emotet campaigns targeting Japanese organizations using lures from stolen email threads. Email thread hijacking was used in 15% of all phishing lures during the first half of 2021. 

Emotet had increasingly become a delivery mechanism for other malware. This same process is now visible with CryptBot. Originally an information stealer, a May 2021 campaign discovered it being used to deliver the DanaBot banking trojan associated with the TA547 threat group.

Emotet has now been replaced by Dridex as the most prevalent malware family. This is followed by Agent Tesla, although Emotet clings on at number three. The Microsoft Equation Editor vulnerability is, according to the HP Wolf researchers, by far the most exploited vulnerability, with a 24% increase in H1/2021 over H2/2020.

The researchers also saw an increase in the use of the Purple Fox exploit kit. One sample captured in April 2021 attempted to exploit a memory corruption vulnerability in Internet Explorer (CVE-2021-26411, patched in early March 2021). Exploit PoC code for this vulnerability was released in mid-March 2021, and code similar to the PoC was found in Purple Fox in April – “meaning,” say the researchers, “organizations only had a small window to patch before risking compromise by Purple Fox.”

“As cybercrime becomes more organized,” says Pratt, “and smaller players can easily obtain effective tools and monetize attacks by selling on access, there’s no such thing as a minor breach. The endpoint continues to be a huge focus for cybercriminals. Their techniques are getting more sophisticated, so it’s more important than ever to have comprehensive and resilient endpoint infrastructure and cyber defense.”

Related: Europol Report Highlights Pandemic's Effect on Cybercrime

Related: UK Spy Agency Releases Annual Threat Report

Related: Scans for Vulnerable Exchange Servers Started 5 Mins After Disclosure of Flaws

Related: Exploits for MS Office Flaws Most Popular in Q1 2021

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.