Yet another new form of cyber-attacks was recently discovered, which uses the already available software tools. This attack doesn’t need to use malware, it relies on the tools that allow hackers to spy on their high-profile targets.
It’s discovered that hackers are repurposing freeware tools so that they could steal data. To achieve this, they’re using several techniques, including the ones called keylogging, password theft. file stealing and cookie theft. For now, they have only been targeting government agencies.
The attack is called ‘Netrepser’, which is a name given to it by a security company called Bitdefender. What is known so far is that it uses legitimate recovery tools and that more than 500 computers have been compromised through the use of this method.
It’s believed that these tools are used because they’re cheap, tested, ready for use and proven to work. Also, you don’t leave a trail by if you use them, which makes them practical when it comes to covering tracks as well.
The attack still comes via phishing emails, and it infiltrates the target’s computer. The email in question displays a fake message in which a discussion from ‘some time ago’ is referenced. The email, of course, has an attachment which is expected to be downloaded by the target and is named ‘Russia Partners Drafting guidelines (for directors’ discussion).doc’.
The instructions also say that macros must be enabled in order for the payload to be dropped, and then proceeds to explain how to do it.
Most of the antivirus software will eventually pick up on the threat, but they’ll label them as potentially unwanted, instead of giving the target a malware warning. This usually means that the target will ignore the warning and do nothing, while the attack continues to operate. This unusual labeling by the antivirus is due to the nature of the infected tools, and they’re only considered unwanted, instead of malware, which helps them bypass the alarms.
Through keylogging, the hacker can see and steal user’s login credentials. This can also allow hackers to monitor everything that’s done on the infected computer. They can even log into different places themselves and steal data from there. This all shows that Netrepser is much more than a simple commercial-grade tool.
The security researchers have managed to analyze the keylogger, and it revealed some valuable info, including the fact that the stolen logs are being sent to four different email addresses. Three of them are from a Russian domain, while one is a Gmail account.
The identity of the attacker, or the group of attackers, is not yet known, and neither is their location, nor place of origin. However, the three Russian emails do give us a clue about the attackers, but nothing is yet confirmed officially.