In a presentation at AVAR 2018, ESET’s Tomáš Gardoň and Filip Kafka uncovered their research of a previously undocumented espionage toolkit, used in targeted attacks against the Malaysian government in mid-2018.
What made the attacks unusual, according to the researchers, was that they relied on malware almost entirely made up of leaked source code of well-known malware, and publicly available tools.
We sat down with Tomáš and Filip and asked them a few questions about this ‘mash-up’ toolkit, as they referred to it in their presentation, and the attacks utilizing it.
How did you first learn about the attacks?
Tomáš: Back in June 2018, we started looking into a piece of malware detected by our systems. We saw elements of several well-known malicious tools in its code, which intrigued us.
Filip: Once we started digging into the incident, we were surprised to find out that this malware was detected and blocked on systems belonging to the Malaysian government.
What are these well-known malicious tools you mentioned?
Tomáš: Well, for a start, the infamous remote access tools Gh0st RAT and NetBot Attacker were used as main backdoors. Both were developed a long time ago – sometime in 2008 – and gained notoriety for being used in high-profile attacks around that time. Later on, the source code of both Gh0st RAT and NetBot Attacker leaked online.
Filip: Besides this, we found parts of Hacking Team’s infamous surveillance tool, RCS, in this malware’s code. Just like the tools Tomáš described, Hacking Team also lost their source code to a leak.
Is it common for malware authors to reuse such freely available code?
Filip: Yes and no. For less skilled attackers, or in more banal attacks, such code reuse is a common practice. But highly targeted espionage against a governmental target? That almost always involves custom-made malicious tools.
Tomáš: We could say that these attackers wanted to achieve a lot but were willing to do only very little. Even some of the customizations they added to the reused tools – probably in an attempt to fly under the radar – were “borrowed” from Hacking Team’s code.
Filip: But to be fair, we did find one component we weren’t able to match to any known tools – a standalone file stealer.
What was the resulting functionality of this ‘mash-up’?
Tomáš: Altogether, the toolkit works as a backdoor. In case of successful compromise, the attackers can exfiltrate files from or upload files to the compromised computer, as well as modify and delete files.
They can also monitor and simulate mouse and keyboard activity, collect information from the system, execute or kill processes, shut down or restart the system…
Let’s get back to the attacks. You say that the malware was blocked – does this mean the adversaries were unsuccessful?
Tomáš: Not exactly. It seems that they managed to infiltrate some systems before crossing paths with ESET’s protection – based on what we’ve seen, the attack attempts were coming from computers in the target’s network.
Filip: We think it went like this: the attackers somehow compromised the first computer or server in the network – one that wasn’t protected by ESET. From there, the malware spread through the network, and was blocked on ESET-protected endpoints. That was how we first found out about it.
Are you aware of any further developments?
Tomáš: Actually, yes. We observed the attackers make several changes to the unsuccessful evasion techniques employed by their malware. And when I say “observed”, it means we kept detecting the attempts.
Filip: Even if unsuccessful, these repeated detection evasion efforts show that the attack wasn’t just a random incident, but organized espionage against the Malaysian government.
What advice would you give to organizations to protect against such attacks?
Filip: Every attack is specific, so we can only keep the recommendations general. I’d say deploying a reputable multi-layered security solution across all computers in the organization is a must. Besides that, keeping systems up to date, having a strong password policy and software restriction policy in place, as well as disabling RDP, or adding two-factor authentication for access, are all very important.
Tomáš: High-value targets, such as governments and large corporations, should also consider regular pen-tests. And finally, providing regular cybersecurity training for employees can go a long way in preventing malicious actors from succeeding.