Security Experts:

Connect with us

Hi, what are you looking for?



Understanding APT Hacking Tools Helps With Defense

Just like a hammer or wrench, hackers have tools in their digital toolboxes to make advanced persistent threat (APTs) campaigns simpler to manage and launch.

Just like a hammer or wrench, hackers have tools in their digital toolboxes to make advanced persistent threat (APTs) campaigns simpler to manage and launch.

Understanding these tools can help administrators identify APTs, argued Roland Dela Paz, threat researcher at Trend Micro. But there is a problem – hacking tools are grayware, and are not always detected by anti-malware products.

“Unfortunately, this means less visibility in APT forensic investigations,” he blogged.

Among the tools researchers often see are: password recovery tools, which are used to extract passwords or password hashes stored by local applications or the operating systems; user account clone tools; file manipulation tools for manipulating files such as copying, deleting and modifying timestamps; and FTP tools that help in FTP transactions like uploading files to a specific FTP site. Other commonly seen tools include data compression tools and scheduled job tools.

A good sign an organizations has been compromised are suspicious instances of command shell processes, Dela Paz explained.

“The tools listed above are either command line tools or runs both in command line and via GUI,” he blogged. “Attackers use these tools through a hidden command prompt instance thus regularly checking your environment for unknown command shell process can help you identify possible infection. Additionally, using process utilities such as Process Explorer will allow you to see the parameters in a command process. This may help you correlate possible components of an APT.”

Presence of the tools of course can also be a sign of compromise, and users should be wary of such software on their systems, he added. Sometimes, the tools are saved by the attackers using odd file names or with fake file extensions, and being able to identify added files on computer systems is important in detecting an attack.

In addition, organizations should pay attention to FTP connections in the network logs.

“While it is more common to check for malicious C&C connections, checking for FTP connections gives another opportunity to identify a breach in your network,” he blogged. “In a corporate setting, FTP sites are usually Intranet sites. Thus, it is easier to sort out legitimate FTPs from malicious ones. FTP transactions are significantly smaller than other type communications in the network, which may allow you to identify a breach faster. Furthermore, checking for archive files or files with odd file names being uploaded to a remote site may also suggest compromise.”

Finally, he suggested organizations review scheduled jobs, which he called a common auto-start method for APTs and malware in general.

“By understanding targeted attacks from different perspectives, users, security administrators, as well as security researchers are empowered to better combat these threats,” Dela Paz noted. “Highlighting APT components, in this case, extend our visibility in identifying existing compromise by knowing what and where to look for.”

Written By

Click to comment

Expert Insights

Related Content


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...