Malware authors have been widely adopting open source security tools for cybercrime operations. Recently, Recorded Future released a report on the use of malicious C&C infrastructure throughout 2020 by tracking more than 10,000 C&C servers across more than 80 malware strains.
Penetration testing toolkits namely Cobalt Strike (used with 13.5% of all 2020 C&C servers) and Metasploit (10.5% of all 2020 C&C servers) have become the two most widely used technologies for hosting C&C servers.
- PupyRAT has been the third most used popular C&C server due to its open-sourced codebase on GitHub (since 2018).
- Several state-sponsored, financially-motivated hacking groups, as well as other hacking groups infected these servers.
- Several U.S.-based reputable hosting providers such as Amazon, Digital Ocean, and Choopa had the most command and control servers on their infrastructure.
Cobalt Strike witnessed widespread usage
- Recently, the Muddywater APT group used a GitHub-hosted malicious PowerShell script to decode an embedded Cobalt Strike script to target Windows systems.
- Palo Alto researchers had found that the SolarStorm campaign had links to Cobalt Strike payload that was generated using Cobalt Strike 4.0, which was built in December 2019.
- Sophos researchers had observed the use of SystemBC RAT, in combination with post-exploitation tools, including Cobalt Strike.
The bottom line
Malware authors have been proactively using open-source security tools due to their common use and legitimacy across organizations. Hackers can repurpose these tools to deploy different types of payloads, such as ransomware or keylogger, on compromised networks. Enterprises are recommended to employ detection-in-depth for common open-source toolkits via correlation searches for SIEMs for suspicious behaviors, YARA for suspicious file contents, and SNORT for suspicious or malicious network traffic.