Hackers are reusing free online tools as part of their cyberespionage campaigns

An unknown cyberespionage group is targeting organisations across the globe.
Image: iStock
A new form of cyberattack has set its sights on high-profile targets across the globe, enabling its perpetrators to conduct espionage and steal data by using readily available software tools, thus removing the need to deploy advanced malware.
Cyberattackers have been discovered repurposing freeware tools in order to steal information, and using techniques including keylogging, file stealing, and password and cookie theft. Their efforts so far have been focusing their efforts on government agencies.
Phishing: Would you fall for one of these scam emails?
There’s still plenty more phish in the sea, as workers can’t stop clicking on scam emails. Would these ones trick you?
Read More
Dubbed ‘Netrepser’ by researchers at security company Bitdefender, the name comes from a shortened version of ‘internet repair’ commands in the command and control URLs: ‘NetRep’ is combined with the name used by the Javascript component to schedule tasks, with ‘Core Service’ shortened to ‘Ser’.
The attackers are using using legitimate recovery tools, and researchers believe at least 500 computers in target organisations across the globe have been compromised in this way.Researchers say hackers are using these tools because they’re inexpenive to use, readily available, having been tested and proven to be functional. Additionally, they don’t possess distinctive elements which allow forensic examples trace the origin of the threat.
“These tools don’t have artifacts or other distinctive elements that would help forensic examiners trace it back to a threat actor,” said Bogdan Botezatu, senior e-threat analyst at Bitdefender.
Like many other forms of cyberattack, Netrepser infiltrates targets with phishing emails containing a malicious attachment.
The fake message references discussions ‘some time ago’ and invites the target to open an attachment named, ‘Russia Partners Drafting guidelines (for directors’ discussion).doc’. The payload will only be dropped if the user enables macros, and the attachment contains step-by-step instructions on how to do so.
While the payload is ultimately detected by antivirus solutions, the significance of the attack is downplayed, with the software labelled as potentially unwanted rather than as a form of malware, meaning that many will ignore warnings and allow Netrepser to perform its malicious deeds.
Because these tools are considered to be ‘potentially unwanted applications’, rather than malware, they are unlikely to ring alarm bells. “A system administrator seeing an alert from the antivirus about a PUA tool will have little to nothing to worry about,” said Botezatu.
多家网站拒绝承认出售用户资料,个人用户对个人资料的外泄维权艰难,隐私保护需从源头抓起。
Once active on the system, Netrepser drops its Javascript payload, which recruits the compromised computer into a botnet network that connects to a command and control server. The attackers then use that server to distribute instructions for a variety of malicious ends, including file exfiltration and keylogging.
The keylogger allows the attackers to monitor login credentials and passwords, providing them with access to systems and accounts the user logs into using the infecting the machine.
互联网金融移动APP与虚假WIFI的信息安全教训
Not only does this allow the attackers to stealthily monitor everything done in the machine, it also provides them with the credentials required to login themselves and make off with confidential or sensitive information.
“Even though the Netrepser malware uses free tools and utilities to carry various jobs to completion, the technical complexity of the attack, as well as the targets attacked, suggest that Netrepser is more than a commercial-grade tool,” Bitdefender said.
Analysis of the keylogger by cybersecurity researchers suggests some of the stolen logs are sent to four email addresses: one gmail account and three from a Russian domain.
While researchers haven’t yet managed to officially attribute who is carrying out these attacks, nor where they’re coming from, the fact the initial attack email is sent from a .ru address might be a clue as to the geolocation of the actors behind Netrepser. READ MORE ON CYBERCRIMECIA tools exposed by Wikileaks linked to hacking across 16 countriesHackers are using this Android malware to spy on Israeli soldiersRussia’s role in political hacks: What’s the debate? [CNET]Elite Chinese hackers target board directors at some of the world’s largest firmsCyberespionage now most popular form of cybercrime in many industries [TechRepublic]

网银大盗不断变种换代、诡计百出,利用多种途径横行网上、肆虐广大网民;更有甚者,仅仅接收一张图片,就能让你财物两空。

猜您喜欢

温江区”三网融合”推进会在万春镇召开
全民网络安全意识教育策略与资源
网络安全公益短片防范移动僵尸网络
英国球星爆出性丑闻贱卖豪宅还没人要 房子大气不背这锅
BENIKEA PCHEALTHWEB
大数据时代的大安全