hackers abandon malware in favor of rare pentest tools
In the last few months, cyber gangs have started to use the Havoc framework more often. This tool is used less often than similar ones, and therefore it is more difficult to detect it with modern means of information protection. According to BI.ZONE, 12% of all cyberattacks are carried out by attackers using tools that were originally designed for penetration testing. Hackers began to include pentest and red team solutions in their arsenal since the second half of 2010, but recently criminals have been trying to replace popular tools with lesser-known ones.
Havoc, an open source post-op framework, has grown in popularity over the past few months. Initially, this tool is designed to gain access to and control the system as part of a pentest.
Head of BI.ZONE Threat Intelligence Oleh Skulkin talked about several campaigns in which attackers used the less common Havoc framework to gain remote access to victims’ computers. Havoc is fundamentally no different from other frameworks. This tool is less popular than others, so it is more difficult to detect by security tools. This is its key advantage for criminals. In all cases, the most likely target of the attacks was espionage, and such groups seek to remain undetected in a company’s infrastructure for as long as possible. To spread the malicious load of the framework, attackers used phishing.
In one case, victims received letters with alleged medical documents. The attachment contained an archive containing an lnk file. If the user opened this shortcut, a distracting document – an extract from the patient’s outpatient card – was downloaded to his computer, and a bootloader – a program was installed, which then introduced the agent of victims of the Havoc framework. The attackers then gained access to the compromised system and could remotely execute commands and download data.
In another campaign, criminals sent phishing emails on behalf of one of the law enforcement agencies. Users reported that he was allegedly suspected of committing a serious crime and asked to provide documents, a list of which was offered to be downloaded via a link in the body of the letter. In fact, when following the link on the victim’s computer, as in the previous case, the bootloader was installed, and then the agent.
Phishing mailings, as before, remain one of the most popular ways for cybercriminals to gain primary access. The reason is their low cost, wide coverage and high efficiency. In order to protect corporate mail from phishing mailings, but not to delay the delivery of legitimate mail, spam filtering services are used.