Crimeware Hackers Adopt APT-Like Capabilities

Cyberthieves traditionally on the lower rung of hacking abilities now have access to nation-state-class malicious software, warn close observers of the criminal dark web.

See Also: Live Panel Tomorrow | A Better Way to Approach Data Backup and Recovery

The appearance on criminal forums of tools capable of infecting a computer’s boot firmware or malware that evades antivirus detection is a consequence of years of state-sponsored development of cyber weapons, says Sergey Lozhkin, lead security researcher at Kaspersky Global Research and Analysis Team.

“Cybercriminals learned from APTs and exposed information to the public on espionage tools, and they are adopting these modus operandi to their toolkits to target victims in the financial sector,” said Lozhkin, referring to advanced persistent threats.

Users who prefer stealing money over swiping secrets may not even need to understand the internals of an advanced cyberweapon, since crimeware programmers are willing to do it for them, he told a handful of media outlets recently in Kasperksy’s London office. Coders behind crimeware applications – the class of malware focused mainly on stealing money – have grown in sophistication and offer users ready-made tools.

Lozhkin wouldn’t identify any particular active crimeware group but said darknet forums are filled with self-taught hackers selling these advanced capabilities for a good price.

“The darkest hour is now for the financial industry, especially for big and medium-sized corporations,” Lozhkin warned.

One such tool is BlackLotus, a firmware rootkit used to establish persistence by attacking the Unified Extensible Firmware Interface. UEFI is essentially a go-between linking computer hardware to the operating system. It operates at a level of logic below antivirus detection. Rootkits at that level are rare and hard to detect. BlackLotus was offered for sale for $5,000 on underground forums earlier this month, said Lozhkin, who tracks crimeware while posing as a potential customer.

Kaspersky isn’t the only threat intelligence firm spotting the trend. Christopher Budd, senior manager of threat research at Sophos, told Information Security Media Group this phenomenon was a long time coming,

“We are seeing evasion techniques being adopted and used in crimeware,” Budd says. “This is an expected development. Advanced actors develop new techniques and over time they trickle down to be incorporated by crime-focused threat actors.”

Lozhkin estimates that crimeware actors will soon be on par with APT groups in terms of capabilities and that they are likely to be more active in malware-as-a-service in underground forums.

Another reason for the jump in sophistication is that penetration testing tools are being taken over by the dark side. A common example of this is Cobalt Strike, the re- teaming tool used by threat actors ranging from Russian state-sponsored hackers to ransomware groups (see: Feds Warn Healthcare Over Cobalt Strike Infections).

A more recent example is Brute Ratel, a post-exploitation toolkit good at evading endpoint detection and response and antivirus tools. It was developed by a former Mandiant and CrowdStrike pen tester. A cracked version is circulating online, but Lozhkin said paid versions have been sold in the criminal underground for up to $3,000.

“This particular tool can be considered a cyberweapon as it can penetrate networks of any large organizations,” he added.

“I’ve seen a huge increase in the last year using legal tools to attack financial institutions,” Lozhkin said. “Cobalt Strike is everywhere. Brute Ratel is everywhere.”