Hackers are reusing free online tools as part of their cyberespionage campaigns

New hacking campaign doesn't rely on malware to infiltrate organisations, but instead repurposes readily available software tools.
Written by Danny Palmer, Senior Writer

An unknown cyberespionage group is targeting organisations across the globe.

Image: iStock

A new form of cyberattack has set its sights on high-profile targets across the globe, enabling its perpetrators to conduct espionage and steal data by using readily available software tools, thus removing the need to deploy advanced malware.

Cyberattackers have been discovered repurposing freeware tools in order to steal information, and using techniques including keylogging, file stealing, and password and cookie theft. Their efforts so far have been focusing their efforts on government agencies.

Dubbed 'Netrepser' by researchers at security company Bitdefender, the name comes from a shortened version of 'internet repair' commands in the command and control URLs: 'NetRep' is combined with the name used by the Javascript component to schedule tasks, with 'Core Service' shortened to 'Ser'.

The attackers are using using legitimate recovery tools, and researchers believe at least 500 computers in target organisations across the globe have been compromised in this way.
Researchers say hackers are using these tools because they're inexpenive to use, readily available, having been tested and proven to be functional. Additionally, they don't possess distinctive elements which allow forensic examples trace the origin of the threat.

"These tools don't have artifacts or other distinctive elements that would help forensic examiners trace it back to a threat actor," said Bogdan Botezatu, senior e-threat analyst at Bitdefender.

Like many other forms of cyberattack, Netrepser infiltrates targets with phishing emails containing a malicious attachment.

The fake message references discussions 'some time ago' and invites the target to open an attachment named, 'Russia Partners Drafting guidelines (for directors' discussion).doc'. The payload will only be dropped if the user enables macros, and the attachment contains step-by-step instructions on how to do so.

While the payload is ultimately detected by antivirus solutions, the significance of the attack is downplayed, with the software labelled as potentially unwanted rather than as a form of malware, meaning that many will ignore warnings and allow Netrepser to perform its malicious deeds.

Because these tools are considered to be 'potentially unwanted applications', rather than malware, they are unlikely to ring alarm bells. "A system administrator seeing an alert from the antivirus about a PUA tool will have little to nothing to worry about," said Botezatu.

Once active on the system, Netrepser drops its Javascript payload, which recruits the compromised computer into a botnet network that connects to a command and control server. The attackers then use that server to distribute instructions for a variety of malicious ends, including file exfiltration and keylogging.

The keylogger allows the attackers to monitor login credentials and passwords, providing them with access to systems and accounts the user logs into using the infecting the machine.

Not only does this allow the attackers to stealthily monitor everything done in the machine, it also provides them with the credentials required to login themselves and make off with confidential or sensitive information.

"Even though the Netrepser malware uses free tools and utilities to carry various jobs to completion, the technical complexity of the attack, as well as the targets attacked, suggest that Netrepser is more than a commercial-grade tool," Bitdefender said.

Analysis of the keylogger by cybersecurity researchers suggests some of the stolen logs are sent to four email addresses: one gmail account and three from a Russian domain.

While researchers haven't yet managed to officially attribute who is carrying out these attacks, nor where they're coming from, the fact the initial attack email is sent from a .ru address might be a clue as to the geolocation of the actors behind Netrepser.


Editorial standards