In a recent study, it has been found that hackers are now using legitimate internet services to hide their malicious activities within normal online traffic.
This tactic, referred to as “internet traffic hacking,” enables cybercriminals steal sensitive data and stay undetectable for long periods of time.
According to the report by Recorded Future’s Insikt Group, advanced persistent threat (APT) groups are leading the way in internet traffic hacking, and even less sophisticated attackers are catching on.
Following a comprehensive analysis of over 400 distinct malware families, researchers have uncovered intriguing insights into the methodologies employed by cybercriminals in executing internet traffic hacking campaigns.
The whole internet traffic hacking operation thrives on legitimate internet services (LIS) — 25% use LIS as part of their setup, and 68.5% use more than one LIS platform for different purposes.
Internet traffic hacking: Exploiting legitimate Internet services (LIS)
Among these threat actors carrying out internet traffic hacking attacks, those specializing in stealing data, like info stealers, were the most likely to use LIS, making up 37% of the cases.
This preference for LIS is because their main goal is to steal data, which doesn’t require complex infrastructure and is easier for less skilled attackers to set up.
The use of LIS comes in four different schemes, each tailored to the specific needs of different types of malware.
For example, info stealers that use LIS mostly do it for data theft (72%), while many loaders (71%) use LIS to deliver their malicious payloads.
Looking at the types of LIS platforms favored by attackers, researchers found that cloud storage services like Google Drive were the most commonly exploited, with 43 malware families involved.
Messaging apps like Telegram and Discord were also commonly exploited, with 30 and 14 malware families using them, respectively.
Telegram was the top target for LIS abuse among messaging platforms, accounting for 66.7% of cases, while Discord was 27.8%.
Notably, info stealers were the main culprits when it came to abusing Telegram (87.5%) and Discord (80%).
While exact numbers are hard to come by, there are signs that internet traffic hacking is becoming more common in cyber threats.
The gradual adoption of these tactics by established malware groups, the increasing use of LIS by newer strains, and the rapid innovation in APT group strategies all point to a rise in internet traffic hacking.
Analyzing internet traffic hacking: How hackers use different LIS hacking strategies
In the exploration of attackers’ exploitation of LIS (Legitimate Internet Services) and their execution of internet traffic hacking attacks, researchers have identified four primary strategic categories, which frequently intermingle to create hybrid methodologies.
This approach helps hacker groups to hinder detection and carry out their plans hiding behind legitimate internet service provides.
These categories encompass full C2 (Command and Control) tactics involving the use of intermediary platforms like GitHub or Mastodon for communication between attackers and malware.
Dead Drop Resolving (DDR) techniques, reminiscent of traditional intelligence practices, entail malware retrieving its C2 server address from a web service, often concealed through encryption and encoding.
Additionally, payload delivery exploits LIS for dispersing malicious payloads, leveraging the accessibility and wide adoption of these services, such as cloud storage platforms and messaging apps.
Lastly, LIS is also exploited for data exfiltration, with attackers employing services possessing data writing capabilities, including publicly accessible APIs and email services, to transmit sensitive information illicitly.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
