Dark Utilities C2 as a service tool leverages IPFS, targets multiple operating systems
A new command and control as a service allows cybercriminals to easily control victim computers and execute cryptocurrency mining, DDoS attacks, and provide full access to systems.
Some highly skilled cybercriminals have decided to produce different services which they sell to less skilled peers. Opening the door for newbie cybercriminals to carry out fraudulent operations on the Internet and scam people or steal money from them.
Many ‘as a service’ products have appeared in the cybercriminal underground, so today almost anyone willing to jump on the cybercriminal bandwagon could do so, provided they had enough upfront money. to purchase such services.
C2 as a service
Cisco Talos has published new research on a new platform dubbed “Dark Utilities” by its author. This platform was launched in early 2022 and its goal is to provide complete command and control (C2) capabilities to cybercriminals for $10.30 (9.99 euros), which is a very low cost. The platform has about 3,000 users, which represents about $30,951 (30,000 euros) in revenue for the people behind the service.
Dark Utilities Abilities
Dark Utilities provides several features (Figure A).
Dark Utilities provides code that must be executed on a target’s system, which means the attacker must already have compromised the system and have access to it. The documentation provided by the platform provides guidance for performing reconnaissance and identifying/exploiting vulnerabilities to infect servers that can be added to Dark Utilities. Of course, it is possible for an attacker without special skills to purchase access to compromised systems from the cybercrime underground and use Dark Utilities with it.
Once executed, the payload registers the service and establishes a C2 communication channel.
Two types of Distributed Denial of Service (DDoS) attacks are possible using Dark Utilities: Layer 4, which supports TCP/UDP/ICMP network protocols, as well as some other protocols specifically designed for multiple platforms -gaming forms such as Teamspeak3, Fivem, Gmod, Valve and some video games.
Layer 7 type supports GET/POST/HEAD/PATCH/PUT/DELETE/OPTIONS/CONNECT methods (Figure B).
A cryptocurrency mining feature is also available in Dark Utilities. It’s quite simple, as it only allows Monero cryptocurrency mining and only asks for the Monero wallet address of cybercriminals to work (Figure C).
Dark Utilities also provides a way to issue commands to multiple systems in a distributed manner and provides a Discord input tool (Figure D).
Dark Utilities Panel
The Dark Utilities platform makes heavy use of Discord. It is used for user authentication before providing a dashboard to the user. It displays basic statistics such as server health and latency (Figure E).
A manager administration panel is also provided to manage all compromised machines belonging to the botnet (Figure F).
SEE: Mobile Device Security Policy (TechRepublic Premium)
To successfully register a newly compromised machine, a payload must be generated and deployed to the victim’s computer.
The current version of Dark Utilities allows attackers to launch payloads on several different operating systems: Linux, Windows, and Python-based implementation. The platform also supports ARM64 and ARMV71 architectures, which they describe as useful for targeting embedded devices such as routers, phones, and Internet of Things (IoT) devices.
Yet one of the more advanced aspects of Dark Utilities is hosting these payloads, as they are actually stored in the Interplanetary File System (IPFS), which TechRepublic recently wrote about. IPFS is a distributed peer-to-peer network that works without the need to install a client application. IPFS files are accessible through IPFS gateways and make it very difficult to delete data. It is considered “bulletproof hosting” because the only way to remove this data from the internet is to remove it from every gateway that shares it.
Talos researchers mention that they “have observed adversaries increasingly using this infrastructure for hosting and fetching payloads” and it appears skilled cybercriminals will increasingly use this technology to store their malicious content. , whether phishing pages or malware payloads.
Who is behind Dark Utilities?
The “inplex-sys” moniker seems to handle Dark Utilities, but there’s no indication that this character is actually developing the platform. According to Talos, the character does not have a long history in the cybercriminal underground space and limits its activities to messaging/bot platforms such as Telegram and Discord. Additionally, Dark Utilities was announced within the Lapsus$ group shortly after its initial release.
The same moniker has also been used in the Steam video game storefront, Dark Utilities advertisement, and a few other scam tools aimed at carrying out spam attacks on Discord and Twitch platforms or administering servers.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
How to protect against this threat?
Attackers using Dark Utilities must find a way to compromise computers themselves. Basic hygiene can avoid compromises:
- Keep operating systems and software always up-to-date and patched, to avoid running into common vulnerabilities.
- Deploy security tools on endpoints and servers and always keep them up to date.
- Run regular security audits and patch any vulnerabilities that may arise.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.