Five-eye CERTs issue joint alert on RATs, trojans and botnets

A week after Five-Eye nations blew the whistle on Russian intelligence over anti-doping agency hackers, the nations' cyber security teams have warned network admins about publicly available hacking tools used in current attacks. 

The report, which the Department of Homeland Security’s US-CERT calls “Publicly Available Tools Seen in Cyber Incidents Worldwide”, is a joint effort from the CERTs of Australia, Canada, New Zealand, the United Kingdom, and the United States. 

Covered tools include notable Remote Access Trojans (RATs), webshells, credential stealers, lateral movement frameworks, and command and control (C2) obfuscators. 

The report offers a high-level overview of specific attack tools, where and when each of them have been employed, and measures that admins can take to detect and limit attacks if they’re deployed against their networks. 

For network admins, the report could add context that helps them quickly parse multiple, evolving and sometimes confusing reports about malware outbreaks and hacks where it’s not clear whether the attacker is financially motivated, backed by a government, or somewhere between. It could also help admins deal with the different vendors referring to the same hacking group with different names.  

For example, the report draws attention to tools that have been used by cybercriminals, but which include capabilities that state-sponsored hackers would also find useful and have also adopted in attacks.  

A prime case is the Mimikatz credential stealer, which was a component of the NotPetya and BadRabbit ransomware attacks of 2017 that US and partner nations blamed on Kremlin-backed hackers. The tool was also used to hack Dutch SSL certificate authority, DigiNotar, in 2011, which was attributed to Iranian hackers.  

“Mimikatz was used in conjunction with other malicious tools—in the NotPetya and BadRabbit ransomware attacks in 2017 to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid,” US-CERT notes in its report. 

Also highlighted in the report is PowerShell Empire, a lateral movement tool that shares similarities with legitimate penetration testing frameworks like Cobalt Strike and Metasploit. 

“PowerShell Empire has become increasingly popular among hostile state actors and organized criminals. In recent years we have seen it used in cyber incidents globally across a wide range of sectors,” the report notes. 

It notes that detection of malicious PowerShell activity “can be difficult due to the prevalence of legitimate PowerShell activity on hosts and the increased use of PowerShell in maintaining a corporate environment”.

The report also draws attention to a C2 Obfuscation and Exfiltration tool called “HUC Packet Transmitter”, and a RAT called RBiFrost, itself a variant of the Adwind RAT, whose origins trace back to the Frutas RAT from 2012. 

At present The Canadian Centre for Cyber Security, the UK National Cyber Security Centre, and US-CERT have published separate reports on the tools.