Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Open-Source Tool. Show all posts

Threat Actors Modified Open-Source Tool to Target organizations

 

Cybersecurity researchers have unearthed an interesting ransomware campaign in which the malicious actors employed custom tools commonly used by APT (Advanced Persistent Threat) groups.

Earlier this week, Security Joes' researchers published a report highlighting attackers' modus operandi to target one of its clients in the gambling industry. During the attack, the ransomware operators used custom open-source tools. 

The operational strategies, methodology of targeting victims, and malware customization capabilities signify a potential link between APT and ransomware operators, explained the report from Security Joes. However, no concrete evidence has been uncovered till now. 

The attackers employed a modified version of the Ligolo, a reverse tunneling utility available for pentesters on GitHub, and a custom tool to dump credentials from LSASS. According to the Security Joes team, the ransomware campaign showcased excellent ransomware training and knowledge of threat actors. The stolen SSLVPN credentials of one of the employees helped attackers to penetrate the victim's systems, followed by admin scans and RDP brute-force, and then credential harvesting efforts.

At the final stage of the campaign, threat actors deployed proxy tunneling for a secure connection and installed the famous Cobalt Strike. Security Joes' team believes that the attackers would launch the ransomware as the next step since the methods followed match those of typical ransomware gang operations. However, it did not come to this, so it is impossible to say with certainty.

The attackers employed multiple off-the-shelve open-source tools typically used by numerous adversaries, like Mimikatz, SoftPerfect, and Cobalt Strike. One notable differentiation was the installation of ‘Sockbot’, a GoLang-written utility based on the Ligolo open-source reverse tunneling tool. The attackers modified Ligolo with meaningful additions that removed the need to use command-line parameters and included several execution checks to avoid running multiple processes.

Additionally, the malicious actors took into their arsenal a custom tool "lsassDumper", also written in GoLang. It was used to automatically steal data from the LSASS process. As experts noted, they observed lsassDumper in real attacks for the first time. 

"Comparing the new variant (Sockbot) to the original source code available online, the threat actors added several execution checks to avoid multiple instances running at the same time, defined the value of the Local Relay as a hard-coded string to avoid the need of passing command line parameters when executing the attack and set the persistence via a scheduled task," researchers concluded.