The hacking tools mentioned in the US-CERT Report may not be unfamiliar to the security researchers and penetration testers, but the value for the enterprise security defense workers is self-evident. Research is designed to make companies aware of the threats they face and to better prepare for defensive measures.
The US government’s network security agency NCCIC, in conjunction with Australia, New Zealand, Canada and the UK, has teamed up to investigate a number of hacking tools commonly used for cyber attacks, and published a report on their official website to explain in detail the five commonly used tools. Function, intrusion techniques and prevention methods, I hope the public can take precautions.
The five tools are as follows:
- 1. Remote access Trojan: JBiFrost
- 2. Web shell: China Chopper
- 3. Credential stealing tool: Mimikatz
- 4. Horizontal Move Tool: PowerShell Empire
- 5. Command and Control Confusion and Penetration Tools: HUC Data Packetizer
1. JBiFrost
JBiFrost is a variant of Adwind RAT and its roots can be traced back to the 2012 Frutas RAT. This is a Java-based, cross-platform, versatile tool that can pose threats to multiple systems such as Windows, Linux, MAC OS X and Android. The JBiFrost RAT is typically used by cyber criminals and low-skilled threat participants, but its functionality can be easily adapted to state-sponsored threat participants, providing victims with malicious RATs for further access to remote access, or stealing valuable Information such as bank vouchers, intellectual property or PII.
More References –
- JBifrost: Yet Another Incarnation of the Adwind RAT (Fortinet Report)
- Adwind RAT Rebrands Yet Again, This Time as JBifrost (Softpedia Report)
- Beware JBifrost RAT – the New Face of Adwind (Sensors Tech Forum Report)
2. China Chopper
China Chopper is an open web shell tool that has been widely used since 2012. The Five-Eye Alliance found that threat participants have begun using China Chopper to remotely access compromised Web servers, providing file and directory management, and accessing virtual terminals on infected devices. Because China Chopper is only 4 KB in size and has an easy-to-modify payload, it is difficult for network defenders to detect and mitigate.
More References –
- Breaking Down the China Chopper Web Shell – Part I (Fireeye Report)
- Chopping packets: Decoding China Chopper Web shell traffic over SSL (Crowdstrike Report)
- China Chopper Webshell – the 4KB that Owns your Web Server
3. Mimikatz
Developed in 2007, Mimikatz is primarily used by attackers to collect credentials from other users who log in to the target Windows computer. It does this by accessing in-memory credentials in a Windows process called Local Security Authority Subsystem Service (LSASS). Although it was not originally a hacking tool, in recent years, Mimikatz has been used by many attackers for malicious purposes, which can seriously damage the misconfigured network security.
More References –
- How Attackers are stealing your credentials with Mimikatz (Stealthbits Report)
- Grabbing Passwords from Memory using Procdump and Mimikatz
- Detecting Mimikatz Use On Your Network (SANS Report)
- Using PowerShell to Bypass Antivirus: Mimikatz and “Mimidogz” (Barkly Report)
4. PowerShell Empire
PowerShell Empire is an example of a post-development or landscape-moving tool. It is designed to allow an attacker (or penetration tester) to move around the network after getting initial access. PowerShell Empire can also be used to generate malicious documents and executables to access the network using social engineering. The PowerShell Empire is gaining popularity among hostile state actors and organized criminals. In recent years, we have seen it used worldwide for a variety of network events.
More References –
- Official Website of Powershellempire
- Getting Started with Post-Exploitation of Windows Hosts (Null-Byte Source)
- Removing Backdoors – Powershell Empire Edition
- Detecting powershell empire
5. HUC packet sender
The HUC Packet Transmitter (HTran) is a proxy tool that intercepts and redirects Transmission Control Protocol (TCP) connections from the local host to the remote host. Since 2009, the tool has been available for free on the Internet. The use of HTran is often observed in government and industry target attacks. HTran can inject itself into a running process and install a rootkit to hide network connections to the host operating system. Using these features, you can also create a Windows registry key to ensure that HTran maintains persistent access to the victim’s network.
More References –
These tools are often not malicious and can be used by testers for vulnerability discovery, but can also be used maliciously to invade the network, execute commands, and steal data. The British National Security Center (NCSC) said that the combined use of these tools has made it more difficult to detect.
According to NCSC, “Many tools are used in conjunction with other tools, making the network defense staff more challenging. It has been found that national hackers and criminals with different skill levels use these tools.”
NCSC says it’s just a few simple steps to defend against these attacks. Key resilience measures include multi-factor authentication, network partitioning, security monitoring, and patching. All of this is in line with NCSC’s core safety advice guidelines.
If you want to see the details of this report and the corresponding defenses, you can go to US-Cert to view.
You may also like:- How Paraphrase Tool Helps To Optimize Content
- Best 20 Kali Linux Tools for Hacking and Penetration Testing
- Top 25 Open Source Intelligence Tools
- Online Domain Authority (DA) Rank Checker Websites
- Top 50 Hacking and Penetration Testing Tools [Compiled List 2019]
- Top 10 Essential CTF Tools for Solving Reversing Challenges
- Windows and Linux Privilege Escalation Tools – Compiled List 2019
- Subdomain Enumeration Tools – 2019 Update
- Top 10 Most Popular Bruteforce Hacking Tools – 2019 Update
- Top 22 Tools for Solving Steganography Challenges
