Hackers Increasingly Use Open-Source Tools for Attacks
At the Virus Bulletin conference, analysts from Intezer Labs shared insights on which freely available tools, including open-source software, are most frequently abused by hackers. These tools can include various applications, libraries, exploits, and more. Most often, they are proof-of-concept exploits for vulnerabilities published by cybersecurity experts or publicly available penetration testing utilities.
The existence of such tools has long been a controversial topic within the cybersecurity community. On one hand, these tools help security professionals prepare systems and networks to defend against potential attacks. On the other hand, they allow malicious actors to reduce the time and cost of developing their own tools and help them disguise their activities among legitimate tests and pentests.
According to Intezer Labs, debates on this topic are usually based on personal experience and beliefs rather than real data. To address this, the company collected data on 129 open-source “offensive” tools and compared this information with malware samples and reports from colleagues to determine how widely these solutions are used by hackers. The results were compiled into an interactive map.
It turns out that open-source and publicly available tools are actively used by all kinds of malicious actors, from well-known government-backed hacking groups to small-time scammers. Many tools and libraries originally developed by security researchers are now regularly used for cybercrime.
“We found that the most popular are libraries for memory injection and RAT (Remote Access Trojan) tools. The most popular memory injection tool is the ReflectiveDllInjection library, followed by MemoryModule. Among RAT tools, the most popular are Empire, PowerSploit, and Quasar,” Intezer Labs reported.
They also noted that Mimikatz is most often used for lateral movement, while the UACME library is commonly used to bypass User Account Control (UAC). Asian hacker groups tend to prefer Win7Elevate, likely due to the high number of Windows 7 installations in the region.
Interestingly, credential-stealing tools are not as popular among criminals. Researchers believe this is because similar solutions with broader functionality are readily available on the black market and hacker forums.
Additionally, Intezer Labs observed that criminals rarely use tools with complex features that require deep technical understanding, even if those tools offer clear advantages. Therefore, the company suggests that security experts who plan to publish “offensive” hacking tools should consider intentionally making their code more complex to make it harder for malicious actors to use.