(of couse I cannot built comprehensive and complete lists in the various sections here;
however, this should give a good intro into what is possible and what is done out there)
(Overviews, Groups and Solutions)
Mimikatz – open-source software security tool can let attackers extract passwords from memory – on Windows systems. See more detail here.
Cahnadr – also known as Ndriver, is a kernel-mode payload and it provides all the capabilities required by user-mode modules, including anti-debugging, rootkit functionality, injecting modules into the services.exe process, network communications, and sniffing capabilities for various protocols – on Windows systems.
GollumApp – is the main user-mode module and it’s designed to manage other user-mode modules while constantly interacting with Cahnadr. It includes a wide range of spying-focused functionality that allows attackers to capture screenshots, log keystrokes, collect system and network data, harvest passwords, manipulate clipboard data, run new processes with SYSTEM privileges, and inject other malicious modules into a specified process. Since it can run in kernel mode, a feature typically present in sophisticated threats, the malware allows attackers to take full control of the infected machine – on Windows systems.
SlingShot – infects computers through compromised routers. A first-stage loader that replaces legitimate DLL files in Windows with malicious versions that have the exact same size. The malicious DLLs are loaded by the services.exe process, which has SYSTEM privileges. Attempts to evade detection by using various methods, including calling system services directly in an effort to bypass security product hooks, encrypting strings in its modules, and selectively injecting processes depending on what security product is present. Slingshot also employs some clever techniques when it comes to command and control (C&C) communications – the malware hides its traffic in legitimate communication protocols, keeping an eye out for packets that contain a special mark.
REMSEC – malware primarily designed for spying; contains a number of stealth features that help it to avoid detection. Several of its components are in the form of executable blobs (Binary Large Objects), which are more difficult for traditional antivirus software to detect. Much of the malware’s functionality is deployed over the network, meaning it resides only in a computer’s memory and is never stored on disk. Relies on a loader module, implemented as a fake Security Support Provider, to load files from the disk and execute them. The malware also includes three different backdoor modules (basic, advanced and HTTP) and a network listener. Similar to Flame (Flamer), a highly sophisticated cyber weapon that has been compared to Stuxnet and Duqu.
Flame (Flamer) – targeting systems in several countries, principally Iran (multiple ‘mass data losses’) and Israel (West Bank). Flame is a backdoor Trojan with worm-like features that allow it to propagate itself on local networks and removable media. When a system is infected, the malware begins a series of operations that range from taking screenshots to recording audio conversations and intercepting network traffic. The malware’s operators can also upload additional modules to expand Flame’s functionality. Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East. When all of its modules are installed, the malware is 20 MB in size, making it about 20 times larger than Stuxnet. It also contains code written in Lua, a programming language uncommon in the cyber underworld, suggesting its developers created it with the goal of maintaining the project over a long period of time – most likely along with a different set of individuals. The complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware.
Regin – a back door-type Trojan whose structure displays a degree of technical competence rarely seen, indicating that a nation state is behind it (likely US and UK); for persistent, long term surveillance operations against targets; it opens a back door on an infected computer, can log keystrokes, and steal files. It is a multi-staged, modular threat and has a number of components, each depending on others, to perform attack operations. The cyber attack platform was built using a six-stage architecture, each stage of which is hidden and encrypted, with the exception of the first stage. Executing the first stage starts a domino chain of decryption and loading of each subsequent stage for a total of five stages. Deployment by tricking into visiting spoofed versions of well-known websites or by exploiting an application. It includes several “stealth” features such as anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5. Also includes a setup making the Command and Control server very dynamic and essentially allowing the attackers to move the C&C server by the minute and hide their tracks.
HashCat – used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password; by Jens ‘Atom’ Steube, lead developer. It does not require capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), but targets the Robust Secure Network Information Element (RSN IE). RSN is a protocol designed for establishing secure communications over an 802.11 wireless network and is part of the 802.11i (WPA) standard. When it begins to establish a secure communication channel, RSN broadcasts an RSN IE message across the network. One of the capabilities of RSN is PMKID (Pairwise Master Key Identifier), from which an attacker can obtain the WPA PSK (Pre-Shared Key) password. WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.
hcxdumptool – small tool to capture packets from wlan devices. On GitHub.
Honeypot Buster – a unique tool that allows any Red Teamer to identify and avoid “Honey-*” traps. – see here in detail.
Eternal Blue and Dark Pulsar – NSA malware spy tools, see more here.
IRAN: “The Leafminer” / RASPITE (ICS recon mainly in United States, Europe, Middle East, East Asia; no specific capabilities, copying DragonFly) – since 2017
Russia: ALLANITE (ICS recon in US and UK: uses standard spear phishing, website strategic takeover waterhole attacks, powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec) – since May 2017 – add’l info
Russia: DragonFly (ICS recon and router infrastructure ccompromise in UK: uses standard spear phishing – resumées – with SMB attacks)
SlingShot (router infrastructure ccompromise in Middle East, Africa – since at least 2012: use Mikrotic exploits and others).
DYMALLOY (ICS recon in US: uses standard spear phishing, website strategic takeover waterhole attacks, and commodity malware backdoors including: Goodor, DorShel, and Karagany) – since 2011 – add’l info
Strider / ProjectSauron (targets mainly Russia, and also Iran, China, Sweden, Belgium; has successfully penetrated air-gapped networks; uses REMSEC) – since at least October 2011
xDedic – marketplace to sell hacking tools, domains, credentials over 70,000 hacked servers made available for purchase on xDedic, some for as low as just $6, the marketplace operators closed the virtual shop on June 16. However, with roughly 30,000 users a month, the storefront was too popular to disappear for good, and intelligence firm Digital Shadows saw it re-emerge only a week later, but as a Tor domain. Over 176,000 unique hacked servers were traded on xDedic between October 2014 and February 2016 and that many more might have been traded since February. The hacked servers were located in 173 countries and came from 416 unique sellers. The prices for these servers ranged from $6 to $6,000, though only around 50 servers cost more than $50. Attracts in excess of 30,000 users a month.
Hidden Cobra = Lazarus Group – North Korea-linked threat actor. Considered the most serious threat to banks, the actor is believed to have orchestrated the $81 million heist from the Bangladesh bank. This year (2018), the group was said to have been involved in numerous attacks against financial institutions and banks and to have also shown interest in crypto-currencies. Tools the actor employs in attacks, including malware such as Typeframe, Joanap and Brambul, Fallchil, FASTCash schemes, and others. add’l info
GreyEnergy and Zebrocy (Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit, Strontium) – Russia-linked cyberspy groups. See more in this post.