Free, easy to use, and available to anyone: The powerful malware hiding in plain sight on the open web

"When the Russian military is using free stuff, you know how good that stuff is."
Written by Danny Palmer, Senior Writer

When people hear about a cyber attack or hacking campaign, they may picture a well-oiled machine that's taken time, skills and resources to build.

They imagine underground forums on the dark web, where attackers can buy powerful malware and unleash it on their target of choice.

But what if having access to the funding and contacts necessary to deliver attacks with the power of state-backed campaigns wasn't required?

In some cases, tools which can be used to conduct malicious cyber operations, ranging from espionage to taking down infrastructure, are freely available on the open web. Even state-backed operations have taken advantage of these free tools, as part of sophisticated cyber campaigns.

There are various sources for this code, which is commonly available on developer forums and from code repositories like GitHub. There are often messages stating that the code is for research purposes only, but that doesn't stop it being used for malicious intent.

Sometimes this source code is released intentionally; in other cases it is leaked. EternalBlue, the leaked SMB exploit that just weeks after being let loose was used to power the global WannaCry ransomware outbreak then went onto help spread NotPetya.

There's also a third category of tools that, while not explicitly designed to be damaging, can be abused to provide attackers with the ability to traverse infected networks, monitor systems and more.

"There are things which aren't malware in the strictest sense of the word, but post-exploitation tools, like Metasploit and Mimikatz which malware operators frequently use," says Robert Lipovsky, senior malware researcher at ESET.

No matter the origin of the open-source malicious code, it provides attackers with a free and easy means of performing cybercrime. There's no need to open Tor and gain credibility in dark web forums before being able to make a purchase, the code can be freely plucked from the regular internet.

"These tools are so incredibly simple that once you download it from GitHub, you go into the configuration file and change things -- it's very easily customizable," says Randi Eitzman, senior cyber threat analyst at FireEye. "They're not having to pay anyone for these services, it's already on the internet for them".

There are even forums and tutorial videos that allow attackers with even the lowest level of knowledge to attempt to grab a piece of the pie -- especially when cryptocurrency mining is involved.

Using your own machine to mine for Monero or Bitcoin is perfectly legal, while using cryptojacking malware to secretly hijack other machines to generate it is a criminal activity.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

However, instructions on how to set up mining tools are out there and readily available.

"There's tonnes of videos on YouTube and resources on the internet which mean anyone can search and pull up a 'how to configure your XMRig configuration file' or 'how to set up a custom pool'. It's very easy, someone who doesn't code can follow these tutorials online and do it in an afternoon," Eitzman says.

In some instances, the code behind malware was never meant to be malicious. A prominent example of this is Hidden Tear, referred to by some analysts as "open-source ransomware". Its source code was published in 2015 to GitHub for educational purposes, with the attention of allowing users and researchers to examine it and help develop protections against file-encrypting malware.

However, it wasn't long before people were taking advantage of a free ransomware kit, and Hidden Tear became an easy way for attackers with very little experience to extort money by locking files -- even school kids were getting in on the act.

"A few teenagers got arrested for using Hidden Tear to make some extra cash around school -- so yeah, it's definitely easy, people in their teens are forking ransomware," says Chris Doman, security engineer at AlienVault.

The original Hidden Tear GitHub project was abandoned three years ago, but by that point, attackers had already got their hands on the code and had made copies of it, they even continued to improve and make it more effective.

Even today, despite something of a decline in ransomware, cyber criminals are still tinkering with the Hidden Tear code, a new version of it called Poolezoor emerged in August, demonstrating how once malicious code is released into the wild, it can remain a problem for years to come.

Hidden Tear is far from the only example of how criminals repurpose available exploits. The EternalBlue exploit began life as a secret NSA hacking tool before being exposed by a hacking group and published online. Just weeks later EternalBlue had been used to power the WannaCry ransomware, a huge cyber attack that took down infrastructure across the world.

WannaCry wasn't the only attack that exploited the worm-like capabilities of the exploit to spread. NotPetya followed suit and criminals increasingly turned to the openly available EternalBlue as a means of making their malware more potent. It has been used to improve trojans and is still being used to deliver cryptojacking malware.

Like the code behind Hidden Tear, EternalBlue was made available online for free -- providing cyber criminals with access to powerful tools originally developed by a nation state.

"EternalBlue would probably be a million bucks to make, but now WannaCry and other hacking attacks are free -- they're capable cyber weapons, which is a bit scary," says Doman.

Beyond cyber criminals taking advantage of leaked nation-state developed toolsets, nation-state hacking operations are increasingly turning to freely available tools to aid espionage and other cyber campaigns.

See also: Cyberwar: A guide to the frightening future of online conflict

In late 2015 and early 2016, cyber attacks against the Ukrainian energy grid resulted in parts of the country suffering power cuts during the coldest and darkest part of the year. Dubbed Black Energy, the campaign is heavily suspected to be the work of Russian state-sponsored hackers.

The phishing campaign and custom-built malware bear the hallmarks of a highly sophisticated threat actor, but it also took advantage of tools available online.

In this case, it was a tool freely available on GitHub called GCat backdoor, which allows attackers to download executables and execute shell-commands. Attackers controlled the backdoor via a Gmail account, making the traffic difficult to detect in the network as attackers went about causing disruption.

This case demonstrates one of the key advantages of using these tools -- they're more easily able to avoid discovery than most forms of malware as in many cases, despite not being released for malicious purposes, they're exploited to do so -- and can do this without triggering detection by security software.

"It's able to slip under the radar of network administrators," says Lipovsky. "Remote access, remote administrator tools, they're a good example of stuff that can be legitimate or malicious depending on who is using it."

Another suspected Russian hacking operation, Turla, is also known to have used freely available software in attacks, demonstrating how potent some of the tools available via the open web can be.

"When the Russian military is using free stuff, you know how good that stuff is as they have enough money to build their own tools," says Doman.

Being free and potentially very powerful aren't the only benefits of using freely available code for cyber criminals because sourcing from GitHub offers cyber criminals another big advantage -- it makes the attackers more difficult to trace.

"It makes attribution more difficult, because with tailored, custom-made malware, that can often be attributed to a group of attackers. While with code used by many operators, it's difficult to say who's using it," says Lipovsky.

This is likely to become a bigger problem in future, as attackers -- especially APT groups -- look to use these tactics to make attacks more difficult to detect and trace.

Tools like Metaspolit and Mimikatz have legitimate purposes but can be used maliciously, while using the same free code as other attackers makes locating the perpetrator much more difficult.

"It's just going to become increasingly challenging to detect these tools as they're shared, edited and changed -- it's a big challenge going forward," says Eitzman.

That's not to say hacking groups are going to be turning their backs on custom-built malware, but the availability of potent free tools that can be exploited for malicious purposes adds another string to the attacker's bow. "Criminals have always used what they can get their hands on," says Doman.

However, these attacks aren't a cheat that allows attackers to play the hacking game on easy mode -- those using these tools have been detected, and in some cases have faced the consequences of their actions.

And crucially, these attacks can be detected and stopped -- or even protected against outright -- if organisations have a tight grasp on what's going on in their network.

"Businesses need system administrators who know their network well, who know what's running on those machines and know the network well, and be able to identify files and behavior which shouldn't be there," says Lipovsky.


Editorial standards