Hackers Adopt APT-Like Capabilities

Cyberweapon-Grade Hacking Tools Pose Danger for Financial Sector

Cyberthieves traditionally on the lower rung of hacking abilities now have access to nation-state-class malicious software, warn close observers of the criminal dark web.

The appearance on criminal forums of tools capable of infecting a computer’s boot firmware or malware that evades antivirus detection is a consequence of years of state-sponsored development of cyber weapons. Cybercriminals learned from Advanced Persistent Threats and exposed information to the public on espionage tools, and they are adopting this modus operandi to their toolkits to target victims in the financial sector.

Criminals who prefer stealing money over swiping secrets may not even need to understand the internals of an advanced cyberweapon since crimeware programmers are willing to do it for them. Coders behind crimeware applications — the class of malware focused mainly on stealing money — have grown in sophistication and offer users ready-made tools. Darknet forums are filled with self-taught hackers selling these advanced capabilities.

One such tool is BlackLotus, a firmware rootkit used to establish persistence by attacking the Unified Extensible Firmware Interface. UEFI is essentially a go-between linking computer hardware to the operating system. It operates at a level of logic below antivirus detection. Rootkits at that level are rare and hard to detect. BlackLotus was for sale for $5,000 on underground forums earlier this month.

According to Christopher Budd, senior manager of threat research at Sophos, this is not a surprise. ”We are seeing evasion techniques being adopted and used in crimeware,” Budd says. “This is an expected development. Advanced actors develop new techniques, and over time, they trickle down to be incorporated by crime-focused threat actors.”

Another reason for the jump in sophistication is that penetration testing tools are being taken over by the dark side. A common example of this is Cobalt Strike, the re-teaming tool used by threat actors ranging from Russian state-sponsored hackers to ransomware groups.

A more recent example is Brute Ratel, a post-exploitation toolkit good at evading endpoint detection and response and antivirus tools. It was developed by a former Mandiant and CrowdStrike pen tester. A cracked version is circulating online, and paid versions have been sold in the criminal underground for up to $3,000.

“This particular tool can be considered a cyberweapon as it can penetrate networks of any large organizations,” he added.

There’s been a huge increase in the last year using legal tools to attack financial institutions. Cobalt Strike is everywhere. Brute Ratel is everywhere.

If you have questions about the evolving cyber-threat landscape and how to protect your institution, call ITPAC today.