New HP Cybersecurity Report Reveals “Boom” in Hacking Tool Downloads

Hacker using a laptop, dark keyboard

This past year has seen an unprecedented wave of cyberattacks, some that have caused a US gas shortage, shut down a major food supplier, and left countless businesses crippled in a devastating supply chain attack. According to its latest Threat Insights Report, HP Security finds that cybercriminals are getting more organized by communicating through dark web forums, and said there has been “a boom in monetization and hacking tools.”

Hacking Tool Downloads on the Rise

As cybercrime continues to evolve, there are more opportunities for lower-level criminals to connect with bigger players within organized crime, researchers said. Likewise, there are more opportunities for hackers to download advanced tools that can break through businesses’ defenses and breach their systems — ransomware being a favorite among both high and low-ranking cybercriminals.

There has been a 65 percent increase in downloads of hacking tools from underground forums and filesharing websites between the second half of 2020 and the first half of 2021, the report said. Security researchers described some tools as “surprisingly capable,” noting one can solve CAPTCHA challenges and perform credential stuffing attacks against websites.

The organization of criminal elements on the dark web and the availability of pirated hacking tools has led to some startling trends.

Organized Cybercrime

With hackers getting more and more organized, companies, agencies, and other networks are more at risk than ever. While software-as-a-service (Saas) is a legitimate business model, ransomware-as-a-service (Raas) operates in the underworld. Hackers can buy a subscription to ransomware code and other tools with Bitcoin or other cryptocurrencies instead of downloading or engineering their own.

Lower-level cybercrooks who have spotted vulnerabilities or gained access to a business’s system are selling that information or access to criminal organizations, the report said.

“We’re seeing hackers adapt their techniques to drive greater monetization, selling access on to organized criminal groups so they can launch more sophisticated attacks against organizations,” HP malware analyst Alex Holland said in a statement. “We see infostealers distributing malware operated by organized criminal groups – who tend to favor ransomware to monetize their access.”

Other Key Findings from HP Security:

Holland also said that cybercriminals are bypassing detection tools by changing up their techniques. Malware is also being distributed in more uncommon file types to avoid detection of anti-virus scanners. How are hackers reeling in their victims? Through “the same old phishing tricks” — scams that involve business transactions and opportunities that trick users into clicking malicious links.

Here’s a breakdown of other findings during HP Wolf Security’s analysis of customer devices from January through June 2021:

  • Method of infection: Email accounted for 75% of malware infections, while web downloads were 25%. Threats downloaded using web browsers rose by 24% from the second half of last year, this increase was largely due to users downloading hacking tools and cryptocurrency mining software, the report said.
  • Most common email phishing baits: Invoices and business transactions represented 49% of phishing lures, replies to intercepted email threads were 15% while mentions of COVID-19 were 1%. Covid mentions dropped 77% from the second half of 2020 and the first half of 2021.
  • Most common types of malicious attachments: Archive files accounted for 29% of attachments, spreadsheets 23%, documents 19%, and executable files 19%. Unusual archive file types – such as JAR (Java Archive files) – are being used to avoid detection and scanning tools, and install malware that’s easily obtained in underground marketplaces.
  • New malware: Researchers found 34% of malware captured was previously unknown.

Other threats worth noting from HP Security:

  • Cybercriminal collaboration can lead to bigger attacks against victims: Security analysts found that Dridex malware affiliates (RaaS affiliates) are selling access to breached organizations to other hackers, so they can distribute ransomware. There was a noticeable drop in Emotet malware infections, and Dridex was isolated more than any other malware during the period of research.
  • Data thieves are delivering nastier malware: CryptBot malware has long been used to steal credentials from cryptocurrency wallets and web browsers. It’s now being used to deliver DanaBot – a banking trojan operated by organized crime groups.
  • Business executives targeted: A multi-stage Visual Basic Script (VBS) campaign is sharing malicious ZIP attachments named after the executive it’s targeting. It releases a stealthy VBS downloader before using legitimate system administration tools to continue living on devices and delivering malware.
  • Job applications targeted: A résumé-themed malicious spam campaign targeted shipping, maritime, logistics, and related companies in the US, UK, Chile, Japan, Pakistan, Italy, and the Philippines. The campaign exploited a Microsoft Office vulnerability to deploy the Remcos RAT (Remote Access Trojan) to gain backdoor access to infected computers.
Tech journalist
Taylor is a tech writer and online journalist with a special interest in cybersecurity and online privacy. He’s covered everything from sports and crime, to explosive startups, AI, cybercrime, FinTech, and cryptocurrency. For he follows news and developments in online privacy, cybersecurity, and internet freedom.