04 June 19, 18:50
(This post was last modified: 04 June 19, 18:51 by silversurfer.)
Quote:Threat actors behind a highly-targeted series of cyber attacks spanning from January to April 2019 have been seen employing malicious tools built using freely available components to infect victims with malware designed to harvest credentials.
The campaign was named 'Frankenstein' by Cisco Talos, a name which "refers to the actors' ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign."
The Frankenstein campaign operators used the following open source components to build their malicious tools:
• An article to detect when your sample is being run in a VM
• A GitHub project that leverages MSbuild to execute a PowerShell command
• A component of GitHub project called "Fruityc2" to build a stager
• A GitHub project called "PowerShell Empire" for their agents
As the researchers further discovered, the threat actors made it their mission to avoid detection, checking for running programs such as Process Explorer and if the infected machine was actually a virtual machine environment.
"The threat actors also took additional steps to only respond to GET requests that contained predefined fields, such as a non-existent user-agent string, a session cookie, and a particular directory on the domain. The threat actors also used different types of encryption in order to protect data in transit," says the Cisco Talos report.
SOURCE: https://www.bleepingcomputer.com/news/se...ree-tools/