Legitimate Software Abused for Targeted Attacks

Cybercriminals often leverage open-source tools or code in attack campaigns. The use of legitimate tools makes attacks stealthier as they are not flagged as suspicious by security tools. Recently, some cybercriminals were seen hiding their malicious files using the popular source code editor software Notepad++ to evade detection.

What happened?

TrendMicro recently identified and disclosed an incident, where attackers used a trojanized version of open-source software Notepad++ to deliver different payloads.
  • A file named notepad.exe was being dropped on the target system using the executable ntoskrnl.exe (a Windows NT kernel executable file). This was performed by either exploiting ntoskrnl.exe or via network shares.
  • The file description, product name, and original filename are similar to the legitimate Notepad++ software but some of the file’s info was found to be fake.
  • The user interface of the file looks and works exactly similar to a normal legitimate Notepad++, however, it was equipped with several malicious capabilities, such as performing backdoor routines and delivering malicious payloads.
  • The malicious notepad.exe file can perform suspicious actions by calling several tools, namely ipconfig.exe, net.exe, reg.exe, systeminfo.exe, and tasklist.exe. It also delivers payloads, including TrojanSpy.Win32.LAZAGNE.B, and the Defray ransomware.

Other incidents

Cybercriminals have been constantly exploiting open-source software for malicious purposes.
  • A China-based hacking group was observed abusing the Windows Zerologon vulnerability. They were found using a .NET Loader that was found to be obfuscated with the ConfuserEx open-source tool.
  • A recent report from security researcher Vitali Kremez suggests that the Ryuk ransomware gang has leveraged several open-source tools including Mimikatz, PowerShell PowerSploit, LaZagne, AdFind, Bloodhound, and PsExec for their malicious operations.

Conclusion

Cybercriminals are now smartly using open-source tools for their targeted attacks. Therefore, experts suggest users download any files, applications, or open-source software from reliable and genuine sources. In addition, an organization’s IT team should verify the downloaded binary with checksums.