Hackers Toolkit Unveiled, Comprehensive Tools For Various Cyber Attacks

Hackers always keep updating their tools and add new ones to adapt to evolving security measures, bypass defenses, and exploit newly discovered vulnerabilities. 

Staying ahead of the cybersecurity advancements is completely important for them as doing so helps them maintain their ability to carry out successful cyber attacks.

Cybersecurity researchers at The DFIR Report recently unveiled the threat actors’ toolkit in which they discovered a comprehensive set of tools that are exploited by threat actors for various cyber attacks.

Technical Analysis

In December 2023, an open directory was discovered on 94.198.53.143, which revealed a sophisticated toolkit used by a threat actor.

This IP address became active in September 2023 and has been mostly associated with PoshC2 command and control activities.

The actors employed various batch scripts as well as malware that targeted Windows and Linux systems including tools for uninstalling Atera agents, deleting backups, disabling Windows Defender, or bypassing it.

Further research revealed another IP (185.234.216.64) hosting the same harmful content. Both Russian IPs have exhibited irregular activity into August 2024 with the second one remaining accessible till that time.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Script files that disable services, remove backup copies, or neutralize anti-virus programs could be seen in the presence of this actor regarding ransomware activities.

Several C2 frameworks have been used by this threat actor such as PoshC2 and Sliver indicating that it is a well-resourced and persistent adversary.

Here below we have mentioned all the different tools and scripts in the open directory:-

• atera_del.bat/atera_del2.bat
• backup.bat
• clearlog.bat
• cmd.cmd
• def1.bat
• defendermalwar.bat
• delbackup.bat
• disable.bat
• hyp.bat
• LOGOFALL.bat
• LOGOFALL1.bat
• NG1.bat
• NG2.bat
• Ngrok.exe
• ON.bat
• Posh_v2_dropper_x64.exe
• native_dropper
• poshc2+user.txt
• py_dropper.sh
• Setup_uncnow.msi
• shadow.bat/shadowGuru.bat
• VmManagedSetup.exe
• WILD_PRIDE.exe
• z.bat
• z1.bat

Uncovering and analyzing these open directories exposes a persistent and sophisticated threat actor in Russia. 

Their continued exploitation of many command and control platforms and a vast array of system compromise as well as evasion tools is a great concern to organizations globally.

Mitigations

Here below we have mentioned all the mitigations:-

• Implement strong and powerful intrusion detection for C2 frameworks like PoshC2 and Sliver.
• Regularly create and safely store offline backups to avoid deletion.
• Keep anti-virus and anti-malware updated with the latest updates and make them enabled.
• Confine administration privileges, and account audit against unauthorized access.
• Perform vulnerability analysis as well as penetration testing regularly.
• Make sure that employees are aware of phishing and social engineering among other cyber threats.
• Draft and revise the incident response schedule for rapid breach action.
• Partner with others to have timely threat information.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download