Cybersecurity researchers have discovered an extensive hacker toolkit, revealing a comprehensive set of tools designed for various stages of cyberattacks.
The toolkit, found in an open directory, showcases the sophisticated methods employed by threat actors to gain and maintain access to compromised systems.
The discovery, made in early December 2023, exposed a collection of batch scripts and malware targeting both Windows and Linux systems. These tools demonstrate the hackers’ ability to perform various malicious activities, from initial system compromise to long-term control and data exfiltration.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Among the most notable tools uncovered were PoshC2 and Sliver, two well-known command and control (C2) frameworks. These open-source tools, typically used by penetration testers and red teams, have been repurposed by malicious actors for nefarious purposes. These frameworks indicate the attackers’ intent to establish persistent remote access to compromised systems.
The toolkit also included several custom batch scripts designed for defense evasion and system manipulation. Scripts such as atera_del.bat and atera_del2.bat were crafted to remove Atera remote management agents, potentially eliminating traces of legitimate administrative tools.
Other scripts like backup.bat and delbackup.bat focused on deleting system backups and shadow copies, a common tactic used to hinder data recovery efforts in ransomware attacks.
DFIR Report Researchers noted the presence of clearlog.bat, a script capable of erasing Windows event logs and removing evidence of Remote Desktop Protocol (RDP) usage. This highlights the attackers’ emphasis on covering their tracks and evading detection.
The toolkit also contained more specialized tools:
- cmd.cmd: Disables User Account Control and modifies registry settings
- def1.bat and defendermalwar.bat: Disable Windows Defender and uninstall Malwarebytes
- disable.bat and hyp.bat: Stop and disable various critical services
- LOGOFALL.bat and LOGOFALL1.bat: Log off user sessions
- NG1.bat and NG2.bat: Contain Ngrok authentication tokens for proxy purposes
- Ngrok.exe: A legitimate tool abused for proxy services
- Posh_v2_dropper_x64.exe: PoshC2 dropper for Windows
- native_dropper: Linux version of the PoshC2 dropper
- py_dropper.sh: Bash script to execute a Python dropper for PoshC2
- VmManagedSetup.exe: SystemBC malware executable
- WILD_PRIDE.exe: Sliver C2 framework executable
The discovery of this toolkit provides valuable insights into the methods and tools employed by modern cybercriminals. It underscores the importance of robust cybersecurity measures and the need for organizations to remain vigilant against evolving threats.
Cybersecurity experts advise organizations to implement comprehensive security strategies, including regular system updates, employee training, and advanced threat detection systems to protect against such sophisticated attack toolkits.
Researchers believe these servers were likely used in ransomware intrusion activity based on the tools presented. They found many scripts attempting to stop services, delete backups and shadow copies, and disable or remove antivirus software. You can find the complete list of IoC’s here.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access