LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Researchers map threat actors’ use of open source offensive security tools

4 years ago 169
BOOK THIS SPACE FOR AD
ARTICLE AD

John Leyden 07 October 2020 at 15:55 UTC

Malware cartographers offer their insights

ANALYSIS Security researchers have developed techniques to chart how malicious hackers make use of open source offensive security tools.

The research, presented by Paul Litvak of Israeli start-up Intezer at the VB2020 localhost conference last week, informs the long-running debate on whether the development and publication of offensive security tools is beneficial or harmful to security as a whole.

Critics argue that offensive security tools give miscreants an advantage over the security community. Those on the other side of the argument contend that offensive security tools help defenders to mitigate newly discovered techniques and probe their own defenses for flaws.

These tools are also said to have both instructional and educational value, particularly to new starters in the industry.

Up to now, little research has been presented to support either argument, and this has only served to inflame disputes on the topic that occasionally flare up on Twitter.

Ingredients in the witches’ brew of malware

Adversaries with all types of sophistication levels use offensive security tools, from ransomware groups to top government agencies.

Intezer examined the effect of libraries that provide offensive security capabilities, or strips of code taken from larger framework-style tools (such as Mimikatz and Metasploit), that are incorporated into malware.

Overall, 80 projects were checked for code reuse against a database of thousands of labeled threat actor samples from multiple vendor reports from the last few years. A total of 29 additional script-based tools were added using existing vendor reports.

INTERVIEW Metasploit founder HD Moore on bug bounties and coronavirus

The researchers developed templates or fingerprints based on elements of these tools and scripts before searching for matching patterns across a database of millions of malware samples.

The work shed light of elements of threat actor tradecraft such as the favored use of code injection, privilege escalation, and lateral movement technique implementation projects by some groups.

Mapping miscreants

Intezer’s work allowed it to develop an interactive map that displays threat actors’ proclivity for open source offensive toolkits.

Intezer found the most commonly adopted projects were memory injection libraries and remote access trojan (RAT) tools.

The most popular memory injection tool was the ReflectiveDllInjection library, followed by the MemoryModule library. For RATs, Empire, Powersploit, and Quasar were the leading projects.

Attackers varied widely in their level of sophistication, with Litvak categorizing them into three groups.

Lurking at the bottom were threat groups who simply copy and pasted code with little understanding of how it worked. Such lazy coders routinely forget to remove incriminating strings or artifacts.

At a slightly higher level to these so-called ‘script kiddies’ were those who developed on the foundation provided by open source tools. Such groups have an understanding of tools and their protocols and are capable of applying customizations to suit their needs.

The third tier was made up of groups that integrated tools within their open code or made subtle use of frameworks.

For example, the so-called ‘Turla’ group has made use of Metasploit as an initial infection vector for the last two years. Litvak explained:

This allows them some anonymity because if the infection somehow fails… then they just pull out and all that’s left are the artifacts of Metasploit. But it is a generic tool [and] everybody can use it – so it really hurts attribution and allows Turla to exit the operation without letting the defenders know what hit them.

Intezer told The Daily Swig that the company has been able to identify a number of malware campaigns based on its mapping project.

For example, back in June it found many almost undetected samples of Lazarus tools by looking for MemoryModule memory injection library users.

RECOMMENDED Open source security: Malicious NPM packages broadcast sensitive user data online

Read Entire Article
  3. Researchers map threat actors’ use of open source offensive security tools

Related

We’re going teetotal: It’s goodbye to The Daily Swig

We’re going teetotal: It’s goodbye to The Daily Swig

Bug Bounty Radar // The latest bug bounty programs for March 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

Password managers: A rough guide to enterprise secret platforms

Password managers: A rough guide to enterprise secret platforms

Chromium bug allowed SameSite cookie bypass on Android devices

Chromium bug allowed SameSite cookie bypass on Android devices

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Trending

1. Sabarmati Report
2. Amitabh Bachchan
3. Hunter Biden
4. Yeontan
5. Odisha Police Constable Admit Card
6. Sundar Pichai
7. Avadh Ojha
8. Skoda Kylaq
9. Shalini Passi
10. Suraksha Diagnostic IPO GMP

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved