Hackers-For-Hire Commoditizing APT-Style Techniques

Threat actors offering hacker-for-hire services to private entities are creating obstructions for organizations, especially SMEs, that are ill-equipped to tackle APTs and transforming the way they approach security.

Hackers-for-hire, not a new trend

  • Over the past few years, the increasing number of mercenary groups that exhibit hacker-for-hire services has become a trend driven by the public release and commoditization of APT-like TTPs.
  • Nation-states, such as China and Russia, hire hackers from cybercriminal camps to conduct intelligence operations. Subsequently, those hackers learn sophisticated APT-like TTPs that can be leveraged in their criminal activities.
  • After malware-as-a-service and ransomware-as-a-service, APTs-as-a-service appears to be the latest trend. Hackers-for-hire set up mercenary groups and sell their capabilities to the highest bidder that wants to spy on their rivals or control the financial market.

Who all are offering the services?

  • Known for targeting fintech companies, Evilnum has now started offering APT-like hacker-for-hire services to other organizations. The attackers are abusing Windows systems by impersonating legitimate programs via new Python-based RAT.
  • Last month, a hackers-for-hire group—that renders sophisticated hacking services to customers looking for internal financial information and negotiations about big-budget contracts—compromised computers of an architecture firm. The threat actor used a malicious plugin for the Autodesk 3ds Max software to create professional 3D computer graphics.
  • DeathStalker, a hackers-for-hire group, is targeting smaller financial institutions and law firms, expanding its cyberespionage operations. They are driving their espionage efforts through spearphishing emails enclosing malicious scripts in Microsoft Word documents.
  • According to Group-IB, APT group RedCurl is likely functioning in a hackers-for-hire model and focusing on corporate espionage. Their tactics involve launching spearphishing campaigns by deploying customized malware; they often employ a trojan downloader, a password extractor, and Windows PowerShell scripts.

The bottom line

SMEs and other organizations that do not have APTs in their threat models need to brace themselves. They must move beyond using just malware-detecting security software and focus on ameliorating their security stack with visibility tools at the network layers and endpoints. They need to reassess their infrastructure and perform threat hunting on suspicious incidents.