Experts from cybersecurity agencies from Five Eyes intelligence alliance have issued a report that provides technical details on most popular hacking tool families and the way to detect and neutralizes attacks involving them.
The report was realized with the contribute of the researchers from the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).
“This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.” reads the report published by the experts.
“In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. The five tools are:
To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.”
The report provides technical details on remote access trojans (RATs), web shells, credential stealers, lateral movement frameworks, and command and control (C&C) obfuscators.
The experts analyzed the JBiFrost RAT, that is a variant of Adwind backdoor, that was used by almost any kind of attackers from nation-state hackers to low-skilled crooks.
“JBiFrost RAT is typically employed by cyber criminals and low-skilled threat actors, but its capabilities could easily be adapted for use by state-sponsored threat actors.
Other RATs are widely used by Advanced Persistent Threat (APT) actor groups, such as Adwind RAT, against the aerospace and defense sector; or Quasar RAT, by APT10, against a broad range of sectors.” states the report.
“JBiFrost RAT is Java-based, cross-platform, and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X, and Android.”
The report also describes the popular post–exploitation tool Mimikatz that was used by many threat actors and the lateral movement framework PowerShell Empire, this latter is used by attackers to elevate privileges, harvest credentials, find nearby hosts, and move laterally across the target network.
The experts at Five Eyes agencies also detailed the China Chopper web shell, a code injection web shell that executes Microsoft .NET code within HTTP POST commands.
The China Chopper is a tiny shell (4K) widely used in attacks in the wild since 2012, early this year the China-linked APT group Leviathan. aka TEMP.Periscope, used it in attacks on engineering and maritime entities over the past months.
Another hacking tool described in the report is HUC Packet Transmitter (HTran), that could be exploited by attackers to obfuscate communications with the intent bypass security controls and evade detection.
“The individual tools we cover in this report are limited examples of the types of tools used by threat actors. You should not consider this an exhaustive list when planning your network defense.” states the report.
“Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states or criminals on the dark web. Today, malicious tools with a variety of functions are widely and freely available for use by everyone from skilled penetration testers, hostile state actors and organized criminals, to amateur cyber criminals.
The tools in this Activity Alert have been used to compromise information across a wide range of critical sectors, including health, finance, government, and defense. Their widespread availability presents a challenge for network defense and threat-actor attribution.”
(Security Affairs – Five Eyes, hacking)