Deceptively simple espionage hacking campaign impresses researchers

Deceptively simple espionage hacking campaign impresses researchers

A new espionage hacking campaign is impressing researchers with malware that amounts to a bundle of popular, legitimate software tools that would pique no suspicion from network administrators. 

Antivirus firm Bitdefender says the campaign it is calling Netrepser has infected at least 500 computers from international political targets and has been around for at least a year.

Rather than use vulnerabilities in software and sneaky tactics to install and perform tasks like cracking passwords, archiving files to send back to the attacker and securely deleting files, Netrepser downloads freeware that lets authorized users do those same tasks. Those include password recovery tools designed by the firm NirSoft to aid users who've forgotten their own passwords, the secure file delete program SDelete and the compression software WinRAR. 

"An administrator would see suspicious activity coming from these tools and think users were running them on their own," Bogdan Botezatu, Bitdefender senior e-threat analyst, told The Hill. 

Often, the groups using malware for intelligence purposes are called advanced persistent threats (APTs) and given identification numbers. The suspected Russian groups that hacked the Democratic National Committee, often referred to as Fancy Bear and Cozy Bear, were APTs 28 and 29. Though the email sent to reporters announcing the discovery of Netrepser refers to it as an APT, Botezatu questions whether the term really applies.  

Advanced attacks, he notes, usually refer to attacks that require substantial research, reams of proprietary software or clever ways to exploit previously undiscovered vulnerabilities in software. The vulnerabilities alone can go for hundreds of thousands of dollars on quasi-legal markets that cater to intelligence agencies.

"It is not far from the truth," he said. "When I think about labeling this advanced malware, I'd label it advanced not because it has a half-a-million dollar exploit built in, but because it manages to fulfill a job and stay undetected without needing that.

"The average cost of this malware is a couple of coffees and a couple of boxes of pizza for the programmers." 

Bitdefender did not release much information about the victims of the attacks. However, examples given of how the attacks appear to be aimed at Russian-speaking targets because they involve documents written in Cyrillic to lure victims and were sent through a Yandex email address. Yandex is a Russian company akin to Google. 

Hackers that use tools users already installed on systems rather than malware are said to be "living off the land." It's popular because it is hard to attribute and hard to detect. Botezatu said that part of the elegance of this malware is how hard it is for researchers to attribute to a specific attacker. Anyone with access to the world — effectively anyone with access to the internet — could be behind the attacks. 

The malware installs itself using a feature in Microsoft Word called a macro that allows documents to run commands. Macros have been used in attacks for decades. 

Botezatu sees the Netrepser attacks as new evidence that hackers, including those with intelligence agendas, are moving away from proprietary techniques to openly available ones that can't be traced to a target. 

"We've reached a stage in the evolution of malware when commoditization is paying off better than sophistication," he said.