Hackers Used Modified Reverse Tunneling Tool in Cyberattacks

Cybersecurity experts have discovered an interesting case of an attack in which hackers used specially developed tools common among APT groups.

According to experts from the company Security Joes, the attack was committed on one of the companies in the gambling industry. Cybercriminals used a combination of specially designed and easily accessible open source tools. The most notable examples are a modified version of the Ligolo reverse tunneling utility and a special tool for dumping credentials from LSASS.

Initial access was obtained through compromised SSL VPN credentials of employees, followed by a scan for administrators, RDP bruteforce attacks and the collection of credentials.

Subsequent steps included gaining access to additional computer systems with high privileges, deploying special proxy tunneling for secure communication, and installing Cobalt Strike beacons.

Although in this case, the attackers did not have the opportunity to move further, the next step could be the deployment of the ransomware payload.

The criminals also used the Sockbot utility, written in the GoLang programming language and based on the open source Ligolo reverse tunneling tool.

Special attention should be paid to the lsassDumper user tool, also written in GoLang, used by hackers for automatic exfiltration from the LSASS process to the service transfer.sh . According to experts, this is the first time lsassDumper has been detected in real attacks.

Finally, the criminals used the freely available ADFind tool for network reconnaissance and collecting information from Active Directory.