Mega nz downloader rat code#
Cybercriminals can also alter the code of these tools to tweak parts that trigger antimalware solutions.Īdditionally, when spotted from a single entry point (for example, when looking at the endpoint alone), the detections might seem benign by themselves, even when they should raise the alarm - that is, if they were viewed from a broader perspective and with greater context with regard to other layers such as emails, servers, and cloud workloads. One is through features that can be used to implement evasion techniques, like in the case of Cobalt Strike. However, this is easier said than done as these tools might evade detection in several ways. The presence of weaponized legitimate tools must be detected so that security teams can stop a ransomware campaign dead in its tracks. In the next sections, we elaborate further on the uses of these tools as well as how they are used in ransomware campaigns. How weaponized legitimate tools are used in a ransomware campaign One of the campaigns that employed several tools at the same time is Nefilim, which used AdFind, Cobalt Strike, Mimikatz, Process Hacker, PsExec, and MegaSync, among other tools.įigure 2. For example, Mimikatz, which can be abused to steal credentials, can grant access to PsExec functions that require admin privileges. Notably, some campaigns use several tools at the same time, rather than just a single tool at a time, since one tool can enable the other. Examples of ransomware campaigns that abuse legitimate tools for various attack stages
Likewise, both Mimikatz and LaZagne can be used for credential dumping.įigure 1.
Mega nz downloader rat Pc#
For example, like Process Hacker, PC Hunter, GMER, and Revo Uninstaller can be exploited to terminate antimalware solutions. Some of the tools listed in the following figure also have similar purposes with other platforms. Process/service discovery and termination (including antimalware solutions)ĪD discovery (can be a prerequisite for lateral movement) Monitoring system resources, debug software, and detect malware Proof-of-concept code for demonstrating vulnerabilitiesĭoppelPaymer, Nefilim, NetWalker, Maze, ProLock, RansomExx, Sodinokibi Has many other capabilities as a remote access trojan (RAT)Ĭlop, Conti, DoppelPaymer, Egregor, Hello (WickrMe), Nefilim, NetWalker, ProLock, RansomExx, RyukĪrbitrary command shell execution, lateral movementĭoppelPaymer, Nefilim, NetWalker, Maze, Petya, ProLock, Ryuk, Sodinokibi In this entry, we discuss some of the most commonly abused legitimate tools: Cobalt Strike, PsExec, Mimikatz, Process Hacker, AdFind, and MegaSync. Finally, the usefulness of the tools’ features - the same ones that security researchers benefit from - makes them advantageous for cybercriminals, thereby turning these platforms into unintended, double-edged swords. It also does not hurt that most of these tools are open-source and therefore can be accessed and used by the public for free. For one, since these tools are not malicious per se, they might evade detection. There are several reasons that the use of legitimate tools for ransomware campaigns is such an attractive option for cybercriminals. The UK’s National Cyber Security Centre (NCSC) has published a list of such tools in a report. Eventually, these tools became a typical component of ransomware campaigns and at times, even other cyberattacks.
However, like many other technologies, cybercriminals have found a way to exploit them. Rather, they are intended to help security research or enhance the efficiency of programs. On their own, these tools are not inherently malicious. This year, cybercriminals will also continue to abuse legitimate tools to facilitate ransomware attacks. As for its evolution, we foresaw in our security predictions that ransomware in 2021 will become an even more sinister threat as it becomes more targeted and new families (such as Egregor) emerge. Most of the recent ransomware campaigns have adopted double extortion techniques where threat actors both encrypt a company’s files and leak their data to the public. Organizations that are affected by ransomware attacks typically incur losses in financial damages worth millions, alongside experiencing inaccessibility and even exposure of sensitive data. What are some of these tools and how exactly are they weaponized?Īs ransomware operators continue to equip themselves with more weapons in their arsenal, the stakes are getting even higher for targeted organizations that can suffer from grave consequences brought about by these attacks. However, cybercriminals have found a way to exploit them for ransomware campaigns. These tools were intended for use in security research and other authorized purposes.
0 kommentar(er)
