​The cyber espionage toolkit ‘Mash-up’ is developed of leaked source code backdoors

• Mash-up toolkit is made up of publicly available malicious tools such as GhOst Rat and NetBot attacker.
• The toolkit also contained parts of the Remote Control System (RCS) surveillance tool.

The cyber espionage toolkit ‘Mash-up’ was made up of publicly available malicious tools and leaked source code of backdoors. The toolkit also contained parts of the Italian hacking team’s Remote Control System (RCS) surveillance tool in the malware’s code.

Researchers from ESET uncovered that the attack against the Malaysian government relied on the malware that was made up of leaked source code and publicly available tools including GhOst Rat and NetBot attacker.

Researchers’ observations

ESET’s Tomas Gordon noted that the remote access tools GhOst Rat and NetBot were developed in 2008 and had been used in high-profile attacks. Later, the source code of these tools was leaked online.

ESET’s Filip stated that such code reuse is a common practice for less skilled hackers but highly targeted espionage attack against government usually makes use of malicious tools that are custom-made. However, Filip revealed that they also found a stand-alone file stealer.

“We could say that these attackers wanted to achieve a lot but were willing to do only very little. Even some of the customizations they added to the reused tools – probably in an attempt to fly under the radar – were “borrowed” from Hacking Team’s code,” said Tomas.

More details on the toolkit

Researchers explain that the toolkit works as a backdoor allowing the attackers to exfiltrate files from the compromised system. The toolkit also allows the attackers to do the following:

• Upload files to the compromised system.
• Modify and delete files from the compromised system.
• Collect information from the compromised system.
• Monitor and simulate mouse and keyboard activity.
• Execute or kill processes.
• Shutdown or restart the compromised system.

Even though the malware was blocked, the attackers managed to infiltrate some systems and the researchers noticed that the attempts were coming from machines in the targeted networks.

“We think it went like this: the attackers somehow compromised the first computer or server in the network – one that wasn’t protected by ESET. From there, the malware spread through the network and was blocked on ESET-protected endpoints. That was how we first found out about it,” Filip explained.

Researchers also observed that the attackers made multiple changes to the evasion techniques employed by their malware. These repeated detection evasion efforts reveal that this is a well-organized espionage attack against the Malaysian government.

Researchers recommend the following to organizations to stay protected from such attacks:

• Deploy reputable multi-layered security solutions across the organization
• Keep all the systems up-to-date
• Have a complex password policy
• Have a strong software restriction policy
• Disable RDP
• Enable two-factor authentication
• Conduct regular pen tests
• Provide employees with cybersecurity training