6 ways hackers hide their tracks

CISOs have an array of ever-improving tools to help spot and stop malicious activity: network monitoring tools, virus scanners, software composition analysis (SCA) tools, digital forensics and incident response (DFIR) solutions, and more.

But of course, cybersecurity is an ongoing battle between attack and defense, and the attackers continue to pose novel challenges.

Older techniques, such as steganography—the art of hiding information including malicious payloads in otherwise benign files, such as images—are evolving, leading to new possibilities. For example, recently a researcher demonstrated even Twitter wasn’t immune to steganography, and images on the platform could be abused to pack ZIP archives of up to 3MB within them.

However, in my own research, I have noticed that in addition to using obfuscation, steganography, and malware packing techniques, threat actors today frequently take advantage of legitimate services, platforms, protocols, and tools to conduct their activities. This lets them blend in with traffic or activity that may look “clean” to human analysts and machines alike.

Here are five tactics cybercriminals are using to cover their tracks today.

Abusing trusted platforms that won’t raise alarms

This was a common theme seen by security professionals in 2020 that has crept into this year.

From penetration testing services and tools such as Cobalt Strike and Ngrok, to established open-source code ecosystems like GitHub, to image and text sites like Imgur and Pastebin, attackers have targeted a wide array of trusted platforms in just the past few years.

Typically, Ngrok is used by ethical hackers interested in collecting data or setting up mock tunnels for inbound connections as a part of bug bounty exercises or pen-testing engagements. But malicious actors have abused Ngrok to directly install botnet malware, or connect a legitimate communications service to a malicious server. In a more recent example, Xavier Mertens at SANS Institute spotted one such malware sample written in Python that contained base64-encoded code to plant a backdoor on the infected system that used Ngrok.

Because Ngrok is widely trusted, the remote attacker could connect to the infected system via an Ngrok tunnel, which will likely bypass corporate firewalls or NAT protections.

GitHub has also been abused to host malware from Octopus Scanner to Gitpaste-12. Recently, crafty attackers abused GitHub and Imgur combined using an open-source PowerShell script that made it possible for them to host a simple script on GitHub that calculates Cobalt Strike payload from a benign Imgur photo. Cobalt Strike is a popular pen-testing framework to simulate advanced real-world cyberattacks, but like any security software product, it can be misused by adversaries.

Likewise, automation tools that developers rely on are not immune to being exploited.

In April, attackers abused GitHub Actions to target hundreds of repositories in an automated attack that used GitHub’s server and resources for cryptocurrency mining. 

These examples show why attackers find value in targeting legitimate platforms that many firewalls and security monitoring tools may not block.

Upstream attacks that capitalize on a brand value, reputation or popularity

Software supply chain security concerns may have gained public attention following the recent SolarWinds breach, but these attacks have been on the rise for some time.

Whether in the form of typosquatting, brandjacking or dependency confusion (which initially came to light as a proof-of-concept research but was later abused for malicious purposes), “upstream” attacks exploit trust within known partner ecosystems and capitalize on the popularity or reputation of a brand or software component. The attackers aim to push malicious code upstream to a trusted codebase associated with a brand, which then gets distributed downstream to the ultimate target: that brand’s partners, customers, or users.

Any system that is open to everyone is also open to adversaries. So, many supply chain attacks target open-source ecosystems, some of which have lax validation in place to uphold the “open to all” principle. However, commercial organizations are also subject to these attacks.

In a recent case that some have likened to the SolarWinds incident, software testing company Codecov disclosed an attack against its Bash Uploader script that had gone undetected for over two months.

Codecov’s 29,000-plus clients include some prominent global brand names. In this attack, the uploader used by the company’s clients was altered to exfiltrate the system’s environment variables (keys, credentials, and tokens) to the attacker’s IP address.

Protecting against supply chain attacks requires action on multiple fronts. Software providers will need to step up investment in keeping their development builds safe. AI and ML-based devops solutions capable of automatically detecting and blocking suspicious software components can help prevent typosquatting, brandjacking and dependency confusion attacks.

Additionally, as more companies adopt Kubernetes or Docker containers to deploy their applications, container security solutions that have a built-in web application firewall and are capable of spotting simple misconfiguration errors early can help prevent a bigger compromise.

Funnelling cryptocurrency payments via hard-to-trace methods

Darknet marketplace sellers and ransomware operators frequently deal in cryptocurrency, given its decentralized and privacy-minded design.

But, although not minted or controlled by government central banks, cryptocurrency still lacks the same level of anonymity as cash.

Cybercriminals therefore find innovative ways to siphon funds between accounts.

Most recently, over $760 million worth of Bitcoin linked to the 2016 Bitfinex hack were moved to new accounts in multiple, smaller transactions—in amounts ranging from 1 BTC to 1,200 BTC.

Cryptocurrency isn’t a completely foolproof way of hiding a money trail. On the night of the 2020 U.S. Presidential election, the U.S. government emptied out a $1 billion Bitcoin wallet which contained funds linked to the most notorious darknet marketplace, Silk Road, which itself had been shut down in 2013.

Some other cryptocurrencies like Monero (XMR) and Zcash (ZEC) have more extensive privacy-preserving abilities than Bitcoin for anonymizing transactions. The back-and-forth between criminals and investigators will no doubt continue on this front as attackers keep looking for better ways to hide their tracks.

Using common channels and protocols

Like trusted platforms and brands, encrypted channels, ports, and protocols used by legitimate applications provide another way for attackers to mask their footsteps.

For example, HTTPS is a universally indispensable protocol for the Web today, and for that reason, port 443 (used by HTTPS/SSL) is very hard to block in a corporate environment.

However, DNS over HTTPS (DoH)—a protocol for resolving domains—also uses port 443, and has been abused by malware authors to transmit their command-and-control (C2) commands to infected systems.

There are two aspects to this problem. First, by abusing a commonly used protocol like HTTPS or DoH, attackers enjoy the same privacy benefits of end-to-end encrypted channels as legitimate users do.

Second, this poses difficulties for network administrators. Blocking DNS in any form itself poses a challenge, but now, given the DNS requests and responses are encrypted over HTTPS, it becomes a nuisance for security professionals to intercept, single out, and analyze the suspicious traffic from many HTTPS requests moving inbound and outbound through the network.

Researcher Alex Birsan, who demonstrated the dependency confusion technique to ethically hack into more than 35 big technology firms, was able to maximize his success rate by using DNS (port 53) to exfiltrate basic information. Birsan chose DNS because of the high likelihood of corporate firewalls not blocking DNS traffic, due to performance requirements and legitimate DNS uses.

Using signed binaries to run obfuscated malware

The familiar concept of fileless malware using living-off-the-land binaries (LOLBINs) remains a valid evasion technique.

LOLBINs refer to legitimate, digitally signed executables, such as Windows executables signed by Microsoft, that can be misused by attackers to launch malicious code with elevated privileges, or to evade endpoint security products such as antivirus.

Last month, Microsoft shared some guidance on defensive techniques that enterprises can adopt to prevent attackers from abusing Microsoft’s Azure LOLBINs.

In another example, a recently discovered Linux and macOS malware I analyzed had a perfect zero-detection rate among all leading antivirus products.

The binary did contain obfuscated code, which aided in evasion. However, further investigation also revealed the malware was built using hundreds of legitimate open-source components and conducted its malicious activities, such as gaining administrative privileges, in ways identical to how legitimate applications would do so.

While obfuscated malware, runtime packers, VM evasion, or hiding malicious payload in images are known evasive techniques used by advanced threats, their true power comes from bypassing security products, or flying under their radar.

And this is made possible when payloads are combined to some degree with trusted software components, protocols, channels, services or platforms.

Coding malware in uncommon programming languages

According to a recent report from the BlackBerry Research and Intelligence team, malware authors are making more use of uncommon programming languages to, in part, better evade detection. The main languages used were Go, D, Nim and Rust.

These languages add obfuscation in a couple of ways. First, rewriting malware in a new language means that signature-based detection tools will no longer flag it (at least until new signatures are created). Second, the Blackberry researchers said the languages themselves act as an obfuscation layer. For example, first-stage malware used to decode, load and deploy other common malware is written in an uncommon language, and this can help evade detection on the endpoint.

The Blackberry researchers noted that there are currently few custom obfuscations for malware written in these languages. One of the most common is Gobfuscate for malware coded with Go. It is capable of manipulating package, function, type, and method names, as well as global variables and strings.

Editor’s note: This article, originally published on May 18, 2021, has been updated to include information on malware authors using uncommon programming languages.