5 June 2019

Threat actors create Frankenstein campaign using unrelated free tools

Threat actors create Frankenstein campaign using unrelated free tools

Cisco Talos has spotted a coordinated series of cyber attacks spanning from January to April 2019 infecting victims with malware designed to harvest credentials. What is interesting about this campaign is the use of malicious tools build with the freely available unrelated components hence the name “Frankenstein” given to the operation by the security researchers.

The Frankenstein campaign operators used the following open source components to build their malicious tools:

  • An article to detect when your sample is being run in a VM

  • A GitHub project that leverages MSbuild to execute a PowerShell command

  • A component of GitHub project called "Fruityc2" to build a stager

  • A GitHub project called "PowerShell Empire" for their agents

The researchers believe that the operators of the Frankenstein campaign are moderately sophisticated and highly resourceful. The reason for using open source tools is not only because they are free and readily available, but also because they let the hackers to improve their operational security and make harder to detect the malicious activity, while the custom tools leave unique traces that allow to link them to the tools' developers.

The attackers behind the Frankenstein campaign use various anti-detection techniques, including checking for running programs such as Process Explorer and if the infected machine was actually a virtual machine environment.

“The threat actors also took additional steps to only respond to GET requests that contained predefined fields, such as a non-existent user-agent string, a session cookie, and a particular directory on the domain. The threat actors also used different types of encryption in order to protect data in transit”, said the researchers.

To compromise victims’ computers the attackers used two attack vectors involving the distribution of trojanized Microsoft Word documents via email. In the first case the malicious document would download a remote template from the attacker-controlled website designed to run arbitrary code on the victim's machine using a Microsoft Office memory corruption vulnerability SB2017111412 (CVE-2017-11882) and gain persistence on the system as a scheduled task named "WinUpdate".

The second attack vector is another trojanized Word document which requires targets to enable macros to launch a Visual Basic script that checks for anti-malware analysis tools and if they are present and running on the system the script will stop execution.

After checking the host machine, the malware is gathering information such as the username, the machine name, the public IP address, the user privileges, the running processes, the OS version, and the SHA256 HMAC, and sends the stolen data to the C2 server via AES-CBC communication.

More detailed technical analysis of the campaign and Indicators of Compromise (IoCs) are available in Cisco Talos’ blog.


Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019
Featured vulnerabilities
MitM attack in Cisco HyperFlex
Medium Patched | 22 Aug, 2019
Multiple vulnerabilities in Palo Alto PAN-OS
High Patched | 22 Aug, 2019