Threat Actors Build “Frankenstein” Campaign Using Open-Source Tools


Threat Actors Build “Frankenstein” Campaign Using Open-Source Tools (Jun 4, 2019)

Cisco Talos researchers have recently identified a series of credential-harvesting malware attacks spanning from January to April 2019. The campaign was named “Frankenstein,” referring to the actor’s ability to piece together and leverage four different open-source techniques to build the malicious tools. The campaign used components of an article to detect when a sample is being run in a VM, leverages MSbuild to execute a PowerShell command, uses “Fruityc2” to build a stager, and utilizes the GitHub project “PowerShell Empire” for their agents. As the Cisco Talos research team concluded, the use of open source and publicly available components for building the tools allowed the threat actors to avoid standing out, making it difficult for experts to attribute attacks to a particular actor.

Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from campaigns such as Frankenstein, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.