Governments across the globe have been targeted by a new network of malware that experts say has redefined the way hackers launch cyberespionage campaigns. Dubbed Netpreser, the attacks leverage various kinds of infiltration techniques to steal sensitive data. Researchers also noted that unlike other cyberespionage attacks, this campaign doesn't rely on malware. Instead, hackers conducting the attacks have been repurposing freely available tools to mount attacks.
Cyberspies operating Netpreser first began launching attacks in May 2016, according to researchers at Bitfinder. The hackers reused freeware tools and developed the Netpreser malware network to include features such as keylogging, file stealing and password theft.
The Bitfinder researchers said nearly 500 computers in organisations across the globe have been infected by Netpreser. The researchers described the campaign as "a complex, targeted malware framework that, unlike a military-grade APT, is 'stitched together' with freeware utilities to carry a complex job through to completion".
"Netrepser is the perfect example of a very advanced espionage tool used to target a number of high-profile institutions and exfiltrate information in a novel way," the researchers said.
"The approach the team behind Netrepser took is extremely unusual for an espionage campaign: they play the simplicity card to better blend in with the environment, even at the cost of triggering alarms," the researchers added.
This new technique has likely been adopted by hackers because it allows them to reuse tools that are inexpensive, have already been tested out and are easily available. The freeware tools also do not contain any distinctive features, which make it simpler for the attacks to be conducted under the radar.
"These tools don't have artifacts or other distinctive elements that would help forensic examiners trace it back to a threat actor," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.
"This attack relies on the fact that the open source tools, even if they got flagged by the local security solutions, would trigger low non-critical alerts, similar to the ones triggered by aggressive adware, for instance," Botezatu told SC Magazine. "They are labelled as potentially-unwanted products, not as malware."