What Are Today’s Top Cyber Weapons?
Which cyber weapons are threat actors using most often to attack organizations? They include a mix of malware, backdoors, infostealers, and more. Some uses of these tools are blurring the lines between financially motivated cybercriminals and nation-state threat actors.
Infostealers, for example, have long been used by cybercrime-focused initial access brokers (IABs) to gain a foothold within networks. However, nation-state-linked actors are increasingly adopting this approach, as well.
These are just a few of the insights derived from a new Global Threat Intelligence Report produced by the BlackBerry Threat Research and Intelligence Team. The report is based on the team’s analysis of the 90-day period between December 2022 and February 2023.
Notable Cyberattack Weapons
The BlackBerry team calls out several frequently used cyber weapons, based on its analysis of more than 1.5 million cyberattacks blocked by CylanceENDPOINT™ and monitored through open-source intelligence (OSINT). Here are some detailed descriptions of various threat actors' most recent weapon-of-choice.
APT28/Sofacy Malware
APT28, also known as Sofacy, is a highly skilled and well-resourced cyber-espionage group believed to operate on behalf of the Russian government. Active since at least 2007, the group targets a wide range of sectors, including government, military, defense contractors, and energy companies. APT28 has been associated with various APT campaigns, including Operation Pawn Storm and Operation Sofacy. The group uses a range of custom-built and publicly available malware including Sednit (also known as Sofacy or X-Agent), Komplex, and Zebrocy, and has been known to use spear phishing and social engineering tactics to gain initial access to its targets.
Tsunami/Linux Backdoor
Tsunami Linux Backdoor malware is commonly used to gain remote access to compromised machines. Some specific groups are associated with Tsunami (such as TeamTNT37), but it is also used by other cybercriminals. Once installed, this malware allows attackers to execute arbitrary commands, upload and download files, and run shell scripts on the infected system.
XOR DDoS Linux Malware
First discovered in 2014, XOR DDoS is a Linux Trojan known for its ability to launch sophisticated multi-vector distributed denial-of-service (DDoS) attacks. XOR DDoS infects systems by exploiting weak or default login credentials, or vulnerabilities in outdated software. Once installed, the malware uses C2 (command and control) infrastructure to communicate with its botnet of infected machines and launch DDoS attacks. Various cybercriminals have used XOR DDoS to orchestrate targeted attacks on servers and websites, and the malware is part of a growing trend targeting IoT devices, especially those running on Linux®.
PlugX Rat
PlugX is a RAT that allows an attacker to gain control of an infected system and conduct a range of malicious activities, including exfiltrating sensitive data and monitoring user activity. Attackers often use PlugX in conjunction with other malware, such as keyloggers and ransomware, to facilitate a range of malicious activities on an infected system. PlugX is noted for stealth capabilities that make it challenging to detect and remove from a system. The malware spreads through multiple methods, including phishing emails, drive-by downloads (in which programs are installed without consent), and exploiting software vulnerabilities. Once the malware infects a system, it establishes a connection to a remote C2 server, enabling the attacker to control the infected system remotely.
PlugX has been used by multiple threat actors over the years, including APT10, APT17, and APT27, all of which are widely believed to be state-sponsored hacking groups. Cybercrime organizations including Emissary Panda, Deep Panda, and KHRAT have also employed the malware. PlugX has been used in targeted attacks against government agencies, defense contractors, and businesses operating in various sectors, such as healthcare, finance, and technology.
Meterpreter Payloads
The BlackBerry Threat Research and Intelligence team discovered multiple intrusion attempts involving Meterpreter payloads. Meterpreter is a powerful post-exploitation tool that attackers use to gain control of compromised systems and execute arbitrary commands. Meterpreter payloads are often associated with cybercrime and adversary-simulation applications and have also been observed in nation-state-sponsored attacks. Cobalt Strike and Meterpreter are often used to blur the line between cybercrime-related and state-sponsored attacks. This tool is widely used by diverse threat groups including APT41, FIN6, FIN7, FIN10, FIN11, GCMAN, MuddyWater, Silence, and Turla.
Cybercriminals frequently deploy the RedLine infostealer to gather valuable information from compromised systems. This malware was observed in many attacks during the study period, and is not directly attributed to a specific threat actor. In addition to data theft, the tool is also commonly used to facilitate initial access for network intrusions, which can then be sold through IAB services and via underground marketplaces. Successful RedLine-facilitated breaches are frequently followed by further attacks (such as ransomware) that amplify the impact of the initial intrusion.
The threat landscape continues to evolve as new attacks and tools are developed and adopted by threat actors. This fluid and fast-changing situation points to why contextualized cyber threat intelligence (CTI) is becoming so valuable to defenders.
To learn more about the BlackBerry team’s analysis, read the Global Threat Intelligence Report. And consider CylanceINTELLIGENCE™, a contextual and actionable CTI subscription service that can help your organization prevent, hunt, and respond to sophisticated threats.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.
About Bhaavika Khanijow
Bhaavika Khanijow is a Marketing Communications Editorial Intern at BlackBerry.
