Recent reports have brought to light a concerning trend in the world of cybersecurity. It appears that threat actors are leveraging the capabilities of script kiddies or amateur hackers to carry out malicious activities. Specifically, these threat actors are targeting individuals who use a tool called OpenBullet, which is commonly used by web application testers and security professionals.
OpenBullet is an open-source security testing tool that allows users to perform simple repetitive tasks or even complex attacks with the help of a configuration file. These configuration files are created by skilled hackers and are often shared, traded, or sold to cybercriminals. The complexity of these files can range from a single line of code to hundreds of lines, making it challenging for novice hackers to comprehend.
One incident involving OpenBullet recently caught the attention of cybersecurity experts. A Telegram channel was found to have a maliciously coded configuration file that was designed for credential stuffing and account takeover attacks. Researchers who analyzed the file discovered that it included code to bypass Google’s reCAPTCHA and had multiple functions, including a COOKIE variable.
Further investigation revealed that the function written in the configuration file concatenated the COOKIE variable to form a Pastebin URL that redirected to a GitHub URL hosting a repository called GetChromeUpdates. OpenBullet then retrieved a binary file from this repository, which turned out to be a chromedriver.exe file.
The chromedriver.exe file was found to replace the SeleniumWebDriver typically used by OpenBullet. Once this replacement was complete, OpenBullet initiated a new session that downloaded two payloads from the same GitHub repository as Ocean and Patent.
Ocean was the downloaded script, while Patent was a Python-based executable that lacked obfuscation during compiling and was written in Python version 3.11. These scripts then proceeded to download malware from a repository called Telegram-RAT, which contained Python-based malware that communicated with a command and control server using telebot.
The Kasada Threat Intelligence team has published a comprehensive report detailing the methods, mechanisms, and code used by these threat actors. This report provides valuable insights into the tactics employed by cybercriminals and underscores the importance of remaining vigilant against evolving threats in the digital landscape.
As the cybersecurity landscape continues to evolve, it is crucial for individuals and organizations to stay informed about the latest trends and developments. By following trusted sources of cybersecurity news, such as GoogleNews, Linkedin, Twitter, and Facebook, individuals can stay up to date on emerging threats and take the necessary steps to protect their systems and data.
In conclusion, the exploitation of OpenBullet by threat actors to manipulate script kiddies and carry out malicious activities is a concerning development. The sophisticated nature of the configuration files used in these attacks highlights the need for continued awareness and vigilance in the face of evolving cyber threats. By staying informed and adopting robust cybersecurity measures, individuals and organizations can better protect themselves against these malicious actors.