Show vulnerabilities with patch / with exploit
5 June 2019

Threat actors create Frankenstein campaign using unrelated free tools


Threat actors create Frankenstein campaign using unrelated free tools

Cisco Talos has spotted a coordinated series of cyber attacks spanning from January to April 2019 infecting victims with malware designed to harvest credentials. What is interesting about this campaign is the use of malicious tools build with the freely available unrelated components hence the name “Frankenstein” given to the operation by the security researchers.

The Frankenstein campaign operators used the following open source components to build their malicious tools:

  • An article to detect when your sample is being run in a VM

  • A GitHub project that leverages MSbuild to execute a PowerShell command

  • A component of GitHub project called "Fruityc2" to build a stager

  • A GitHub project called "PowerShell Empire" for their agents

The researchers believe that the operators of the Frankenstein campaign are moderately sophisticated and highly resourceful. The reason for using open source tools is not only because they are free and readily available, but also because they let the hackers to improve their operational security and make harder to detect the malicious activity, while the custom tools leave unique traces that allow to link them to the tools' developers.

The attackers behind the Frankenstein campaign use various anti-detection techniques, including checking for running programs such as Process Explorer and if the infected machine was actually a virtual machine environment.

“The threat actors also took additional steps to only respond to GET requests that contained predefined fields, such as a non-existent user-agent string, a session cookie, and a particular directory on the domain. The threat actors also used different types of encryption in order to protect data in transit”, said the researchers.

To compromise victims’ computers the attackers used two attack vectors involving the distribution of trojanized Microsoft Word documents via email. In the first case the malicious document would download a remote template from the attacker-controlled website designed to run arbitrary code on the victim's machine using a Microsoft Office memory corruption vulnerability SB2017111412 (CVE-2017-11882) and gain persistence on the system as a scheduled task named "WinUpdate".

The second attack vector is another trojanized Word document which requires targets to enable macros to launch a Visual Basic script that checks for anti-malware analysis tools and if they are present and running on the system the script will stop execution.

After checking the host machine, the malware is gathering information such as the username, the machine name, the public IP address, the user privileges, the running processes, the OS version, and the SHA256 HMAC, and sends the stolen data to the C2 server via AES-CBC communication.

More detailed technical analysis of the campaign and Indicators of Compromise (IoCs) are available in Cisco Talos’ blog.


Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020