Cybersecurity researchers have discovered an extensive hacker toolkit, revealing a comprehensive set of tools designed for various stages of cyberattacks.
The toolkit, found in an open directory, showcases the sophisticated methods employed by threat actors to gain and maintain access to compromised systems.
The discovery, made in early December 2023, exposed a collection of batch scripts and malware targeting both Windows and Linux systems. These tools demonstrate the hackers’ ability to perform various malicious activities, from initial system compromise to long-term control and data exfiltration.
Among the most notable tools uncovered were PoshC2 and Sliver, two well-known command and control (C2) frameworks. These open-source tools, typically used by penetration testers and red teams, have been repurposed by malicious actors for nefarious purposes. These frameworks indicate the attackers’ intent to establish persistent remote access to compromised systems.
POSHC2 Capabilities
The toolkit also included several custom batch scripts designed for defense evasion and system manipulation. Scripts such as atera_del.bat and atera_del2.bat were crafted to remove Atera remote management agents, potentially eliminating traces of legitimate administrative tools.
Other scripts like backup.bat and delbackup.bat focused on deleting system backups and shadow copies, a common tactic used to hinder data recovery efforts in ransomware attacks.
DFIR Report Researchers noted the presence of clearlog.bat, a script capable of erasing Windows event logs and removing evidence of Remote Desktop Protocol (RDP) usage. This highlights the attackers’ emphasis on covering their tracks and evading detection.
The toolkit also contained more specialized tools:
cmd.cmd: Disables User Account Control and modifies registry settings
def1.bat and defendermalwar.bat: Disable Windows Defender and uninstall Malwarebytes
disable.bat and hyp.bat: Stop and disable various critical services
LOGOFALL.bat and LOGOFALL1.bat: Log off user sessions
NG1.bat and NG2.bat: Contain Ngrok authentication tokens for proxy purposes
Ngrok.exe: A legitimate tool abused for proxy services
Posh_v2_dropper_x64.exe: PoshC2 dropper for Windows
native_dropper: Linux version of the PoshC2 dropper
py_dropper.sh: Bash script to execute a Python dropper for PoshC2
VmManagedSetup.exe: SystemBC malware executable
WILD_PRIDE.exe: Sliver C2 framework executable
The discovery of this toolkit provides valuable insights into the methods and tools employed by modern cybercriminals. It underscores the importance of robust cybersecurity measures and the need for organizations to remain vigilant against evolving threats.
Tools & Techniques (Source: DFIR Report)
Cybersecurity experts advise organizations to implement comprehensive security strategies, including regular system updates, employee training, and advanced threat detection systems to protect against such sophisticated attack toolkits.
Researchers believe these servers were likely used in ransomware intrusion activity based on the tools presented. They found many scripts attempting to stop services, delete backups and shadow copies, and disable or remove antivirus software. You can find the complete list of IoC’s here.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
This information was reported originally by:
Guru Baran
Co-Founder of Cybersecurity News & GBHackers on Security.