Categories: Malware

Cybercriminals Hacking Systems with 10+ Legitimate Data-Extraction Tools

In recent months, the cybersecurity landscape has witnessed a significant evolution in ransomware attacks, with perpetrators deploying an increasingly diverse array of data-exfiltration tools.

Symantec’s latest findings reveal that attackers have utilized at least a dozen different tools for data exfiltration in the past three months alone.

This trend underscores a strategic shift towards leveraging malware and dual-use tools—legitimate software repurposed for malicious intent—to siphon data from victim organizations.

Document
Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
    • If you want to test all these features now with completely free access to the sandbox:

Double Extortion: A Growing Threat

According to the Symantec report, Ransomware operators have adopted a more aggressive tactic known as double extortion. By stealing sensitive data before encrypting the victim’s files, attackers can exert additional pressure on organizations to pay the ransom.

This approach not only complicates recovery efforts for the affected entities but also increases the potential for reputational damage and regulatory scrutiny.

The Expanding Toolkit

Among the tools favored by ransomware actors, Rclone remains the most commonly used for data exfiltration.

most frequently used exfiltration tools

However, there is a noticeable rise in the use of remote administration and management tools like AnyDesk, ScreenConnect, and Atera.

  • Rclone: An open-source cloud management tool, sometimes exploited by ransomware actors for data theft.
  • AnyDesk: A remote desktop application that attackers use for unauthorized access, occasionally disguising it to avoid detection.
  • RDP (Remote Desktop Protocol): Developed by Microsoft, this protocol enables remote control of computers. Attackers often enable it through registry modifications and firewall rule adjustments to gain malicious access.
  • Cobalt Strike: A tool meant for penetration testing but commonly used by attackers for stealthy data exfiltration and establishing covert communications.
  • ScreenConnect: Remote desktop software by ConnectWise for computer access.
  • Atera: Remote monitoring software often utilized by attackers for network access.
  • WinRAR and similar utilities: Used by attackers for file archiving in preparation for data exfiltration.
  • Restic: An efficient and secure backup tool, exploited by ransomware groups like those using Noberus for data theft.
  • TightVNC: Open-source remote desktop software.
  • WinSCP: A legitimate FTP and SFTP client for Windows.
  • Pandora RC: Commercial remote access tool, sometimes used maliciously for information theft and deploying additional tools.
  • Chisel: An open-source proxy tool, abused in ransomware attacks for data tunneling to attacker-controlled sites.
  • PowerShell: A Microsoft scripting tool, exploited for various malicious activities including data exfiltration through commands like Compress-Archive.

These tools offer a blend of functionality that appeals to attackers, including the ability to act as a backdoor into compromised systems.

Case Study: Rclone in Action

A notable instance of Rclone’s misuse occurred during a RagnarLocker ransomware attack in July 2023. Attackers deployed Rclone to transfer data from network shares to external storage solutions, demonstrating the tool’s versatility in facilitating large-scale data exfiltration.

The initial sign of malicious behavior was the execution of PowerShell commands to deactivate Local Security Authority (LSA) protection.

Following this, the attackers utilized SoftPerfect Network Scanner (netscan.exe), a widely accessible tool, for identifying host names and network services.

On the subsequent day, their operations continued with the deployment of Mimikatz and LaZagne for credential theft.

They then employed several native tools to collect system data, backup registry hives, run commands remotely across the network, and activate Remote Desktop Protocol (RDP) to enable external access.

Protection and Mitigation Strategies

In response to these evolving threats, Symantec emphasizes the importance of robust cybersecurity measures. Organizations are advised to monitor outbound traffic for anomalies, restrict the use of dual-use tools, and implement strong identity and access management practices.

Additionally, maintaining up-to-date software and employing endpoint detection and response (EDR) tools can significantly enhance an organization’s resilience against ransomware attacks.

The diversification of data-exfiltration tools in ransomware campaigns highlights the need for continuous vigilance and adaptive security strategies.

As attackers refine their techniques, organizations must prioritize the detection and mitigation of these threats to safeguard their data and maintain operational integrity.

Indicators of Compromise

SHA-256 hashDescription
d5e01c86dab89a0ecbf77c831e4ce7e0392bea12b0581929cace5e08bdd12196Rclone
df69dc5c7f62c06b0a64c9b065c3cbe7d034af6ba14131f54678135c33806f3eRclone
2cbe4368f75f785bf53cbc52b1b357d6281dc41adc1a1aa1870e905a7f07ed5eRclone
e94901809ff7cc5168c1e857d4ac9cbb339ca1f6e21dcce95dfb8e28df799961Rclone
9b5d1f6a94ce122671a5956b2016e879428c74964174739b68397b6384f6ee8bRclone
aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9Rclone
9bbc9784ce3c818a127debfe710ec6ce21e7c9dd0daf4e30b8506a6dba533db4Rclone
64e0322e3bec6fb9fa730b7a14106e1e59fa186096f9a8d433a5324eb6853e01Rclone
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32cRclone
5cc2c563d89257964c4b446f54afe1e57bbee49315a9fc001ff5a6bcb6650393Rclone
8a878d4c2dff7ae0ec4f20c9ddbbe40b1d6c801d07b9db04597e46b852ea2dc5Rclone
6ad342fbfe679c66ecf31b7da1744cbf78c3dc9f4dbc61f255af28004e36a327Rclone
8e21c680dab06488014abca81348067753be97fd0413def630701019dea00980Rclone
f63ff9c6f31701c1dca42d47ca4d819645e8d47586cf375db170503ce92b777eRclone
d6c1e30368d7ed406f0a6c6519287d589737989e8ff1297b296054b64b646b3fRclone
109b03ffc45231e5a4c8805a10926492890f7b568f8a93abe1fa495b4bd42975AnyDesk
7d531afcc1a918df73f63579ca8d1a5c8048d8ac77917674c6805f31c8c9890fAnyDesk
734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4aAnyDesk
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18AnyDesk
e69f82a00ab0e15d2d5d9f539c70406cbfaffd2d473e09aab47036d96b6a1bc1AnyDesk
5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371AnyDesk
7bcff667ab676c8f4f434d14cfc7949e596ca42613c757752330e07c5ea2a453AnyDesk
cd37a69b013336637a1ee722a6c7c8fd27439cf36ac8ed7e29374bbe4a29643eAnyDesk
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383AnyDesk
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028AnyDesk
bbbedd933ac156b476e1b3edb3e09501c604a79c4ff1a917df779a9f1bec5ccaAnyDesk
7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494AnyDesk
355faa21f35d4a15c894445f09af97b2ad90604425b9a4b9076e293dbd4504abAnyDesk
580f6a285c6c3b7238bd16e1aeb62a077ae44b5061a2162e9fd6383af59028bbAnyDesk
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6AnyDesk
4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97AnyDesk
d928708b944906e0a97f6a375eb9d85bc00de5cc217d59a2b60556a3a985df1eAnyDesk
cdb82be1b9dd6391ed068124cfdf2339d71dd70f6f76462a7e4a0fdadd5a208aCobalt Strike
0242c29a20e19a4c19ff1e5cc7f28a8af3c13b6ec083d0569b3ba15a02c898b6Cobalt Strike
9242846351a65655e93ed2aeaf36b535ff5b79ddf76c33d54089d9005a66265bCobalt Strike
935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2Cobalt Strike
8d6a398f97d734412de03340bbb8237d00c519479649af8933afb8fb4fa2f695Cobalt Strike
837fa64038a1e46494b581020606c386fbd79898aab9f38f90df8cfa7d4599ecCobalt Strike
3cc56d5b79877a8ee6d15f0109d1c59937d6555ae656924686cafeee36ec0d57Cobalt Strike
3e2bda57454efa2e87ae4357f5c6c04edafa6b1efcda8093cbfd056a211d0f39Cobalt Strike
840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3Cobalt Strike
6cf60c768a7377f7c4842c14c3c4d416480a7044a7a5a72b61ff142a796273ecCobalt Strike
5adfef3f7721d6616650711d06792c087fd909f52435c8124c5f940f7acbdb48Cobalt Strike
270c888f8fbeb3bdc2dbcf8a911872791e05124d9bd253932f14dc4de1d2aed2Cobalt Strike
6c5338d84c208b37a4ec5e13baf6e1906bd9669e18006530bf541e1d466ba819Cobalt Strike
0f4fa41c4ab2ac238cbe92438cb71d139a7810c6c134b16b6c6005c4c5b984e4Cobalt Strike
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393faCobalt Strike
c4753ca743f0bfa82590e9838ad48af862814052e5c90a6dab97c651942a9d61Cobalt Strike
040f59f7e89787ee8db7ba44a11d7ed2ce9065ac938115933ca8cb37bb99abc5Cobalt Strike
89a09433e0a57d8c01d5bab4ef4e6def979d2bc8e1ffad47ee6eadd3b85d09e9Cobalt Strike
64dd55e1c2373deed25c2776f553c632e58c45e56a0e4639dfd54ee97eab9c19Cobalt Strike
523dcd9d9b971a8b4c53b5cfd9a003d7fcc0e6a4e0a06039db7f87ba7fb0a167Cobalt Strike
664bb48bf3e8a7d7036e4b0029fa10e1a90c2562ad9a09a885650408d00dea1bCobalt Strike
461ba29d9386de39071d8f2f7956be21fb4fa06df8dd1db6dec3da0982e42f9fCobalt Strike
d551b4f46ad7af735dfa0e379f04bdb37eda4a5e0d9fe3ea4043c231d034176cCobalt Strike
8b23414492ebf97a36d53d6a9e88711a830cbfb007be756df4819b8989140c2dCobalt Strike
a8611c0befdb76e8453bc36e1c5cfea04325e57dffb21c88760c6e0316319b36Cobalt Strike
d4e9986e9ad85daae7fabd935f021b26d825d693209bed0c9084d652feef0d77Cobalt Strike
a7f477021101837696f27159031c27afec16df0a92355dfe0eb06e8b23bff7f6Cobalt Strike
00be065f405e93233cc2f0012defdcbb1d6817b58969d5ffd9fd72fc4783c6f4Cobalt Strike
3f0256ae16587bf1dbbd3b25a50f972883ae41bce1d77f464b2a5c77fd736466Cobalt Strike
e2a5fb1ca722474b76d6da5c5b1d438a1e58beca52864862555c9ab1b533e72dScreenConnect
ea38cff329692f6b4c8ade15970b742a9a8bb62a44f59227c510cb2882fa436fScreenConnect
d7267fe13e073dcfe5b0d319e41646a3eb855444d25c01d52d6dab9de695e1b1ScreenConnect
91605641a4c7e859b7071a9841d1cd154b9027e6a58c20ec4cadafeaf47c9055ScreenConnect
df28158ea229ab67f828328fc01ea7629f3b743ecea8c0b88fba80cd7efc3a75ScreenConnect
5778bf9e4563a80ec48e975eaa81fd6fe2f4b504ffcd61fcfbceb65a45eb8345ScreenConnect
bcaa3d8dcba6ba08bf20077eadd0b31f58a1334b7b9c629e475694c4eeafd924ScreenConnect
d40ae98a7d18c2c35c0355984340b0517be47257c000931093a4fc3ccc90c226ScreenConnect
935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2Atera
d0ceb18272966ab62b8edff100e9b4a6a3cb5dc0f2a32b2b18721fea2d9c09a5Atera
840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3Atera
cef987a587faded1a497d37cf8d1564a287ef509338dbd956ea36c8e6aa9a68eAtera
bc866cfcdda37e24dc2634dc282c7a0e6f55209da17a8fa105b07414c0e7c527Atera
3a3fe8352e0a2bca469dba0dc5922976d6ba4dc8b744ac36056bfb25dbf7fc68Atera
8258756c2e0ca794af527258e8a3a4f7431fbd7df44403603b94cb2a70cb1bdfAtera
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450Atera
486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8Atera
6f88fb88ffb0f1d5465c2826e5b4f523598b1b8378377c8378ffebc171bad18bAtera
ec436aeee41857eee5875efdb7166fe043349db5f58f3ee9fc4ff7f50005767fAtera
5d8f9cf481d72c53438cdfff72d94b986493e908786e6a989acad052d1939399Atera
5157d2c1759cb9527d780b88d7728dc4ba5c9ce5fddff23fb53c0671febb63bcAtera
de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32cAtera
9a7c58bd98d70631aa1473f7b57b426db367d72429a5455b433a05ee251f3236Atera
ff79d3c4a0b7eb191783c323ab8363ebd1fd10be58d8bcc96b07067743ca81d5Atera
35e6742e840490ee8ccfbbccacd5e7e61a1a28a2e23fb7b5083a89271a5fd400Atera
265b69033cea7a9f8214a34cd9b17912909af46c7a47395dd7bb893a24507e59WinRAR
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347baWinRAR
b1e7851bd2edae124dc107bec66af79febcb7bc0911022ac31b3d24b36b3f355WinRAR
8258756c2e0ca794af527258e8a3a4f7431fbd7df44403603b94cb2a70cb1bdfWinRAR
9e3c618873202cd6d31ea599178dd05b0ab9406b44c13c49df7a2cbc81a5caa4WinRAR
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450WinRAR
d1144b0fb4e1e8e5104c8bb90b54efcf964ce4fca482ee2f00698f871af9cb72WinRAR
0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7WinRAR
0d068a6aa2df88613e1c5c7ba412a5a5bc3cadc3f3ab4b76d10035ba8eec27bfWinRAR
33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04Restic
99abf0d33e2372521384da3c98fd4a3534155ad5b6b7852ebe94e098aa3dc9b8TightVNC
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95cWinSCP
eea7d9af6275c1cbf009de73a866eac4bc5d0703078ffe73b0d064cca4029675WinSCP
2e64bf8ca66e4363240e10dd8c85eabbf104d08aba60b307435ff5760d425a92Pandora RC
40c81a953552f87de483e09b95cbc836d8d6798c2651be0beba3b1a072500a15Chisel
d3b125f6441485825cdf3e22e2bfdeda85f337e908678c08137b4e8ef29303dbChisel
b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767bChisel
9b78a7d8fd95fe9275c683f8cca54bc6c457b2cb90c549de227313a50da4fc41Chisel
7ef2cc079afe7927b78be493f0b8a735a3258bc82801a11bc7b420a72708c250
Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Leave a Comment
Share
Published by
Balaji
Tags: computer securityCyber Security NewsMalware
12 months ago

Recent Posts

SPAWNCHIMERA Malware Exploits Ivanti Buffer Overflow Vulnerability by Applying a Critical Fix

In a recent development, the SPAWNCHIMERA malware family has been identified exploiting the buffer overflow…

7 hours ago

Sitevision Auto-Generated Password Vulnerability Lets Hackers Steal Signing Key

A significant vulnerability in Sitevision CMS, versions 10.3.1 and earlier, has been identified, allowing attackers…

7 hours ago

NSA Allegedly Hacked Northwestern Polytechnical University, China Claims

Chinese cybersecurity entities have accused the U.S. National Security Agency (NSA) of orchestrating a cyberattack…

8 hours ago

ACRStealer Malware Abuses Google Docs as C2 to Steal Login Credentials

The ACRStealer malware, an infostealer disguised as illegal software such as cracks and keygens, has…

8 hours ago

Nagios XI Flaw Exposes User Details and Emails to Unauthenticated Attackers”

A security vulnerability in Nagios XI 2024R1.2.2, tracked as CVE-2024-54961, has been disclosed, allowing unauthenticated…

11 hours ago

Critical UniFi Protect Camera Vulnerability Enables Remote Code Execution Attacks

Ubiquiti Networks has issued an urgent security advisory (Bulletin 046) warning of multiple critical vulnerabilities…

11 hours ago