The use of legitimate Windows tools as part of malicious actors’ malware arsenal has become a common observation in cyber incursions in recent years. We’ve discussed such use in a previous article where PsExec, Windows Management Instrumentation (WMI), simple batch files or third-party tools such as PC Hunter and Process Hacker were used to disable endpoint security products, move laterally across networks, and exfiltrate information, among others. We have also extensively discussed legitimate tools that malicious actors weaponized for ransomware in 2021.
We uncovered two Python tools, Impacket and Responder, in our latest investigation. While the two are not new, they are nonetheless worth noting since both are normally used for penetration testing. Knowing that cybercriminals often upgrade their tactics, techniques, and procedures (TTPs) to broaden their scope and stay competitive, system defenders these days have come to expect attackers’ crafty use of legitimate tools for nefarious ends.
Impacket and Responder defined
SecureAuth, the developer of Impacket, defines it as a set of Python classes for working with network protocols. It offers low-level programmatic access to the packets and some protocols (such as SMB and MSRPC) or the protocol implementation itself. It also provides tools that enable a user to accomplish remote execution such as smbexec.py for use when the target machine does not have an available writeable share.
Responder, on the other hand, is a Windows environment takeover tool that is widely used for internal penetration testing. According to MITRE ATT&CK®, the main purpose of this open-source tool is to “poison name services to gather hashes and credentials from systems within a local network.” Once the attackers poison the name services, Responder harvests the hashes and credentials. The tool is also used to poison LLMNR, NBT-NS and MDNS with built-in HTTP, SMB, MSSQL, FTP, and LDAP rogue authentication server supporting NTLMv1, NTLMv2/LMv2, Extended Security NTLMSSP, and basic HTTP authentication. Many consider it as an essential penetration-testing tool.
While there is more mention of Windows tools, Linux is just as vulnerable to such surreptitious methods. There is, in fact, a long list of Linux binaries that malicious actors can exploit “to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate other post-exploitation tasks.” Malicious actors inevitably vascillate between Windows and Linux nowadays as the use of cloud technology and the implementation of remote work continue to expand.
That Python runs on both Windows and Linux makes our findings significant. While organizations leverage the versatility of using both systems, this versatility is a double-edged sword in that it also provides more opportunities for cybercriminals to launch attacks, as we show in our findings.
Stages of investigation: Key findings
Since malicious actors stealthily employed legitimate tools in many stages of the attacks, detecting incursions from the samples we saw was tricky. The threat hunting team’s investigation was triggered by the following event, which was observed in multiple hosts: