Open Source Tools Provide Low-cost Development Options for Cyber-criminals

Written by

The cybersecurity community benefits tremendously from the open source malware tools available today. These tools help researchers analyze exploits, enable teams to test defenses, and allow instructors to use real-world examples when training fledgling cybersecurity professionals.

Likewise, using open source tools to study malware trends not only enables researchers to track attacker intent and ability, but to also document behaviors over time, providing additional insight into identifying malware developers. 

Of course, tools openly available to researchers are also available to those with more malicious intent. A recent Fortinet Threat Landscape Report found that cyber adversaries are also increasingly turning their attention to open source malware tools, not for inspiration, but also to modify for criminal activities.

As with their legitimate business counterparts, cyber-criminal developers are driven by ROI economic models, so why build an attack from scratch when someone else has already done much of the hard work for you?

Open source tools hosted on sharing sites tend to be highly susceptible to being mutated into new attacks. Historically, ransomware is a favorite for these attackers, with perhaps the crowning achievement of this kind of malicious behavior being the Mirai IoT botnet. More than two years since its release, a proliferation of variants and activity continues to be catalogued.

The Sharing (Malware) Economy
Many tools are openly being shared to help deal with the security problems organizations face today. Here are several good examples of openware tools posted on websites such as GitHub that are being exploited:

  • Android Backdoor Malware – This is a shell script that makes adding a backdoor to any APK file easy. Clearly, are there many steps, from getting an unsigned application from a malicious attacker to a potential victim, but the tool itself was a proof of concept to showcase Android vulnerabilities. As we have learned from years of experience, while early versions of malware may be complicated, open code allows them to be refined and simplified over time.
  • Hidden Tear Ransomware – This project includes a descriptor to unlock all encrypted files. While this is a great proof of concept for both ransomware and encryption technologies that security professionals can use, it is also being used by script kiddies to infect victims and demand payment to unlock their files.
  • Retired Malware Remote Admin Trojan - Quasar – Though individuals may be using Quasar RAT as a legitimate administration tool instead of paying for a commercial products, this remote administration tool is being deployed in stealth mode, and security organizations are finding that it is now being used to distribute malware.
  • Windows Open Source Ransomware – Though this ransomware kit showcases communications over the Tor protocol, this in no way mean the author has any malicious intent. In fact, without the author’s contributions, many security professionals would be having a difficult time understanding how simple it can be for malicious actors to create ransomware. Unfortunately, this information is also being exploited for malicious purposes. While this particular proof of concept tools is now detected by many anti-virus programs, the data and code it contains could still be used as a starting point for someone with malicious intentions.

Opportunities for Young and Old
More experienced attackers can and do combine open source code with an evasion tool like the Veil-Framework—which is also open source—to repackage the code to try to bypass anti-malware. Of course, the attacker’s ability to easily access this malicious code can give them a head start on modifying and testing new versions with additional capabilities.
However, not all attack capabilities require advanced capabilities. While weaponizing some of these openware tools requires a degree of developer sophistication, many of the freely available malware tools can be repurposed quite easily. If a newbie wants to get into cybercrime and, for example, hold computers hostage for a ransom, it is not too difficult for them to exploit one of dozens of proof-of-concept ransomwares by making a few simple updates, such as changing the wallet address to send payments to, and they are ready to start attacking.

Detecting and Defeating Open Source Weapons
Cyber-criminals are all too eager to turn security systems intended for good into weapons that can circumvent security systems, evade detection, and deliver critical payloads. This happened with SSL/TLS encryption, and it is now happening with open source malware tools.

Adding to the challenge, cyber-criminals are finding ways to target unique targets, making it less likely that they have adequate security measures in place, enabling them to penetrate the attack surface quickly and propagate across the network with little resistance. 

This growing attack strategy brings yet another challenge to overwhelmed security teams who are trying to protect their expanding networks and resources against sophisticated attack approaches, many which quickly mutate.

Meeting this growing challenge, organizations must implement automation to enhance threat detection, deploy fully integrated security solutions that can share and respond to threat intelligence as a unified system, regardless of how widely distributed they are, and employ advanced threat protection—from sandboxing to threat intelligence—across the distributed network. 

This requires a consistent and integrated security strategy built around tools designed to operate as a single security fabric framework. By deploying a security strategy that dynamically spans today’s multi-ecosystem networks, leveraging real-time threat intelligence sources to make critical real-time decisions, and using automation and machine learning to take over time-consuming and menial tasks, IT security teams can stay ahead of the cyber threat curve with greater visibility across the network to better detect and respond to threats happening anywhere across the entire network surface.

What’s hot on Infosecurity Magazine?