Examples of Malware Used Against Australian Organisations

REMCOS

REMCOS is a Remote Access Trojan (RAT) being sold in hacking forums on the Dark Market for around $300 USD. It provides the following capabilities:

  • Interface: Sleek user interface that makes it easy for unsophisticated threat actors to compromise and control machines remotely
  • Espionage: screen capture, clipboard capture, keylogging, webcam capture, and microphone capture
  • Operational Security: RC4 encryption, software packing, strings obfuscation and events logging
  • Automation: ability to automate tasks, run commands, and download files

Mossé Security has been responding to many intrusions where the adversaries used REMCOS as a first-stage malware before installing more stealthy RATs on other systems.


COBALT STRIKE

Cobalt Strike is a software for Adversary Simulations and Red Team Operations created by Raphael Mudge.

Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in a target's network. New Cobalt Strike licenses cost $3,500 per user for a one year license. License renewals cost $2,500 per user, per year.

Cyber adversaries around the world purchase and use Cobalt Strike to commit cyber crimes. Cobalt Strike has been used in countless of intrusions. In fact, a threat actor uses it so much that the industry has labelled this actor the "Cobalt Gang".

Mossé Security has been responding to many intrusions against Australian organisations committed by adversaries that use Cobalt Strike.


BABAR

Babar is a well-documented surveillance malware almost certainly created by the one or several French intelligence agencies.

Mossé Security did not identify this malware during incident response. Several samples were shared with us by a customer who did not specify where the samples originated. Some of the samples that we have are not available on Virus Total or any other online malware sharing services that we're aware. We were asked to reverse engineer parts of the samples and offer our professional opinion on its capabilities.

We make no claim that the French intelligence agencies performed cyber operations against Australian organisations. It's not unusual for customers to approach us to reverse engineer malware samples that they are curious about for one reason or another. They are under no obligations to share their motivations with us.


MIMIKATZ

Mimikatz is an open-source a post-exploitation tool for the Windows operating system created by Benjamin Delpy. It's been called the "AK47 of Cyber Attacks" and the "Swiss Army Knife of Windows Credentials Gathering".

Mimikatz is incredibly popular and is used by numerous advanced persistence threat actors to steal Windows credentials and move laterally from one Windows machine to another. Some of the features that Mimikatz offer include:

  • Extract plaintext passwords, hashes, PIN codes, scheduled tasks, and Kerberos Tickets
  • Pass-the-hash and pass-the-ticket
  • Build Kerberos Golden tickets
  • Move laterally and execute commands on remote machines


SCREENCONNECT

ScreenConnect is a software built by a legitimate US company to remotely access and manage Windows computers. Pricing for the software starts around US$19 per month.

Some cyber adversaries have used this tool as a backdoor into the networks of Australian organisations that they have compromised. Investigative journalist, Brian Krebs, also reported that ScreenConnect was used by the adversary that compromised Wipro's networks in 2019. This is a breach that we can confirm affected Australian customers.

The advantage of using a backdoor such as ScreenConnect over malware is that the software will evade enterprise anti-virus solutions and even if it is detected, it's more likely to be ruled out as a false-positive.


TEAMSPY

TeamSpy can both refer to a cyber-surveillance operation and the malware that was used as part of the operation. The malware uses a DLL-side loading technique to load malicious code into the TeamViewer software to hide from the Windows interface and make it invisible to the user.

Once installed, TeamSpy allows the adversaries to observe the infected computers, install new tools on the machines and steal files.

Mossé Security has been responding to a large intrusion where TeamSpy had been installed on multiple employee laptops.


GH0ST RAT

Gh0st RAT is a Trojan horse for the Windows platform. It is a cyber spying computer program. The "Rat" part of the name refers to the software's ability to operate as a "Remote Administration Tool".

This tool is used by multiple adversary groups.

Mossé Security has been responding to many intrusions where Gh0st RAT was used as well as having had customers and partners share samples with us that were also captured in Australia.


NETWIRE

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.

Some of the capabilities that NETWIRE has include:

  • Code Signing
  • Keylogging
  • Screen Capture
  • System information discovery
  • Code Injection


Other Examples: Emotet, Graftor, Poison Ivy, PlugX, BlackMoon, Perseus, Meterpreter, Loda, Nymeria, NanoCore, Lazagne, Gemini, Hupigon, Quasar, Themida, PowerShell Empire, Mirai, Poweliks, BlackHole, PowerSploit, EternalBlue, EternalDrug, Locky, GandCrab, AgentTesla, Torn, Derusbi, Nishang, TinyMet, Viper, Pasam, Royal DNS, Winnit, NetTraveler.

Act Now!

Cyber security is about taking action. Contact us now.

Frequently Asked Questions

Why do adversaries use penetration testing tools or off-the-shelf malware?

Off-the-shelf malware and penetration testing tools provide excellent first-stage reverse-shells because if those tools are detected then adversaries can easily replace them and they don't risk revealing operational secrets contained in custom tools.

Furthermore, off-the-shelf malware is regularly updated with new obfuscation techniques developed by security researchers that allow adversaries to defeat anti-virus software.

Custom tools are often deployed later in the attack, sometimes on machines with no direct Internet access.

Why do penetration testers and security researchers make malware freely available on the Internet or for purchase at a small fee?

Generally speaking, the cyber security industry tends to reward individuals who find vulnerabilities and publish new attack techniques with fame and riches. The fastest way to become famous in this industry is by conducting offensive security research. This partially explains why so many attack tools are produced by the industry and then made public for anyone to download.

Furthermore, many security researchers believe that governments and companies do not take cyber security as seriously as they should. Many of them have attempted to work "from the inside" to influence decision-makers into investing more in cyber security but have felt that their efforts did not achieve major outcomes. In contrast, they have learnt that when they release zero-days, write new malware and publicly shame companies and vendors for poor cyber security practices, it forces companies to upgrade their cyber security.

Whether publishing offensive security research is a good thing or not is heavily debated. Mossé Security's position is that they are enough offensive security researchers publishing attack tools that we do not need to participate in that space. Our mandate is to educate and provide cyber defence tools that help organisations better protect themselves.

How is it possible for adversaries to continuously evade global anti-virus companies that spend millions of dollars in security research?

Anti-virus companies analyse hundreds of thousands of never-seen-before files every month, process billions of security events per day, and are expected by their customers to never miss a cyber attack and never generate any false-positive alerts.

Adversaries employ techniques and tactics designed to evade detection and bypass defenses:

  • Blending-In: Attackers use the same software that network administrators use to manage the networks. For example: PSEXEC, Team Viewer, ScreenConnect, SCCM, and local administrator accounts
  • Obfuscation: Attackers obfuscate binaries to evade anti-virus software and prevent security analysts from easily grasping the severity of the threat