Post-exploit Toolsets

Agent Tesla: Agent Tesla is a sophisticated remote access trojan (RAT) designed to infiltrate and steal sensitive information from compromised computers. It excels at gathering a wide range of data, including keystrokes and login credentials from popular web browsers like Google Chrome and Mozilla Firefox, as well as email clients on infected machines.   

AZORult: AZORult malware, also known as PuffStealer and Ruzalto, is an information and cryptocurrency stealing malware initially identified in 2016. While not as advanced as some other malware strains, it possesses initial and post-exploit access capabilities, including the ability to launch ransomware attacks through remote access. Initially developed in Delphi, it was later rewritten in C++ in 2019, and its user-friendly nature makes it accessible even to less experienced threat actors, who can easily configure and deploy attacks.   

Babadeda: Babadeda is a recently emerged crypto sample that enables threat actors to encrypt and obscure malicious software. Its advanced obfuscation techniques make it highly effective at evading antivirus detection, resulting in a significantly low detection rate by antivirus engines, as highlighted by researchers' analysis.    

BlueFox: BlueFox is an information-stealing malware based on the .NET framework, available for purchase on underground forums as a Malware-as-a-Service (MaaS). It specializes in stealing various types of sensitive information, with a particular focus on cryptocurrency wallets, as well as possessing file-grabbing and loading functionalities.  

Brute Ratel: Brute Ratel is an adversarial attack simulation tool utilized by red teamers for deploying "Badgers," akin to beacons found in Cobalt Strike, onto remote hosts. These Badgers establish connections with the attacker's Command and Control server, enabling the execution of commands and transmission of previously executed command outputs.

CobaltStrike: CobaltStrike is a commercial adversary simulation software primarily used by red teams for security testing. However, it has also been stolen, cracked, and used by various threat actors, ranging from ransomware operators to advanced persistent threats (APTs) focused on cyber espionage. It is a comprehensive framework encompassing numerous components and features, often seen in intrusions, making it difficult for network defenders to fully grasp its complex capabilities without firsthand experience.   

Coinhive: Coinhive is a JavaScript library initially designed to enable website owners to mine cryptocurrency and generate revenue. However, it has been misused by cybercriminals who embedded it into browser extensions and bundled software downloads, resulting in crypto-jacking, where users' computer resources are exploited without their consent to mine cryptocurrency, often causing significant performance issues such as high CPU and GPU usage, leading to system slowdowns, or freezing.   

DCrat: DCRat, also known as DarkCrystal RAT, is a Russian commercial backdoor that emerged in 2018 and was redesigned and re-released the following year. It is attributed to a single developer known by various pseudonyms such as "boldenis44," "crystal-coder," and "Кодер" ("Coder"). DCRat is notable for its affordability, sold primarily on Russian underground forums, with prices starting as low as 500 RUB (less than 5 GBP/US$6) for a two-month subscription. Its low cost has made it popular among both professional threat actors and less experienced individuals, colloquially known as script kiddies.  

Emotet: Emotet is a notorious and highly sophisticated banking trojan that has evolved into a versatile and modular malware platform since its emergence in 2014. Initially designed as a banking credential stealer, Emotet has transformed into a multifunctional threat that can deliver other malware payloads, such as ransomware or credential stealers, to compromised systems. It primarily spreads through phishing emails containing malicious attachments or links. Once executed, Emotet establishes persistence on infected machines, harvests sensitive information, and further propagates itself across the network, targeting other connected devices. Emotet is known for its polymorphic nature, making it difficult to detect and defend against. It has been a significant global threat, impacting organizations, individuals, and critical infrastructure worldwide.  

Expiro: Expiro is a malware that infects executable files on both 32-bit and 64-bit Windows operating systems. It can install browser extensions, modify security settings, and extract sensitive information, including account credentials, from the compromised system.   

FlawedAmmyy RAT: FlawedAmmyy RAT is a Remote Access Trojan (RAT) that gained attention in 2016. This malware is a variant of the infamous Ammyy Admin software, a legitimate remote desktop tool. However, FlawedAmmyy RAT is a modified and malicious version cybercriminals use to gain unauthorized remote access and control over compromised systems. It spreads through phishing emails, malicious downloads, or compromised websites. Once installed, it allows attackers to perform various malicious activities, such as stealing sensitive information, executing commands, capturing screenshots, and controlling the victim's system.  

FloodFix: Floxif, also known as FloodFix, is a file-infecting malware spreading within networks since 2012. It commonly arrives on endpoints through USB thumb drives and self-replicates by replacing eligible processes in memory with compromised binaries.    

Gozi: Gozi malware, also known as Ursnif, is a powerful banking trojan that emerged in 2007 and has undergone several iterations. It is primarily designed to steal financial information, such as banking credentials and credit card details, from infected systems and has been responsible for numerous high-profile cybercrime campaigns worldwide.   

Hancitor: Hancitor (also known as Chancitor) is a downloader active since 2016 when it was associated with distributing the Vawtrak information-stealing trojan. Over the years, it has been involved in various campaigns installing password-stealing malware such as Pony, Ficker, and, more recently, Cobalt Strike. Hancitor is commonly distributed through malicious spam campaigns disguised as DocuSign invoices.    

IcedID: IcedID, also known as BokBot, is a potent banking and remote access trojan (RAT) that emerged in 2017. It relies on first-stage malware like Emotet for initial access and has comparable capabilities to sophisticated banking trojans, serving as both an information stealer and a dropper for second-stage malware, including ransomware.  

Jupyter: Jupyter infostealer is a deceptive and modular malware that hides within legitimate installer packages and targets unsuspecting victims. It aims to steal sensitive information, such as browser credentials and cryptocurrency wallet data, and gain unauthorized access to remote systems, posing a significant threat to users' privacy and security.   

Metasploit: Metasploit is a widely used open-source framework that enables the creation of a penetration testing environment, allowing users to develop, test, and execute exploits. Leveraged by both malicious actors and ethical hackers, Metasploit provides a comprehensive set of tools, including the well-known Meterpreter, for assessing vulnerabilities in networks and servers.   

Mimikatz: Mimikatz is a versatile tool employed by both hackers and security professionals to extract valuable information, including passwords and credentials, from a system's memory. It is frequently utilized to gain unauthorized access to networks, systems, or applications and carry out malicious actions such as privilege escalation or lateral movement within a network. The specific usage of Mimikatz depends on the attacker's intentions and objectives.  

Neshta: Neshta malware is an older file infector still active today. Neshta is known for infecting Windows executable files and spreading through unintentional downloads or other malware. It targets various industries, including manufacturing, finance, consumer goods, and energy, while achieving persistence by renaming itself and modifying the registry to run on each .exe file launch.    

NETSupportRAT: NetSupportRAT (Remote Access Trojan) is a tool based on the legitimate software NetSupport Manager. Malicious actors often exploit NetSupport for unauthorized purposes, similar to TeamViewer. It grants complete control over the targeted device, enabling attackers to access and manipulate data, execute additional payloads, monitor screens in real-time, and capture screenshots, audio, and video. Malicious versions of NetSupportRAT are frequently offered for sale or rent through underground marketplaces.   

PoisonIvy: Poison Ivy is a well-known remote access trojan (RAT) first discovered in 2005 and associated with multiple high-profile cyberattacks. This trojan is designed for cyber espionage, allowing attackers to access compromised systems remotely, monitor victims, and steal credentials and files. It has spread through spearphishing emails containing malicious Word or PDF attachments.   

Qbot: QBot, also known as Qakbot, QuackBot, or Pinkslipbot, is a persistent and dangerous Banking Trojan that emerged in 2007 and remains a significant threat to organizations worldwide. It is designed to steal banking data, including credentials and personal information, but has evolved to incorporate new capabilities such as self-spreading, detection evasion, and the ability to install additional malware.    

Quasar RAT: Quasar RAT is a popular and powerful Remote Access Trojan (RAT) that has been actively used since 2014. Developed in C#, Quasar RAT provides remote control capabilities over compromised systems. It allows attackers to perform various malicious activities, including executing commands, capturing screenshots, keylogging, and file manipulation. Quasar RAT is commonly delivered through phishing emails, exploit kits, or malicious downloads, and it has been associated with various cybercrime campaigns.  

RedLine: RedLine is malware masquerading as cracked games, applications, and services. It operates as a stealer, extracting sensitive information from web browsers, cryptocurrency wallets, and various applications like FileZilla, Discord, Steam, Telegram, and VPN clients. Additionally, it collects data about the infected system, including running processes, antivirus software, installed programs, Windows product details, processor architecture, and more. This gathered information is then converted into XML format and sent to a Command and Control (C2) server via SOAP messages for exfiltration.   

Smoke Loader: Smoke Loader is a malicious bot application notorious for its ability to load other types of malware. It has been observed in the wild since at least 2011 and has been associated with various payloads. Smoke Loader is well-known for its deceptive tactics and self-defense mechanisms, and it can incorporate multiple plug-ins to enhance its capabilities.   

SocGholish: SocGholish is a malware family that utilizes deceptive techniques to gain initial access to victims' systems. It operates by disguising itself as software updates, typically through drive-by-downloads. This means that when unsuspecting users visit a compromised website, they unknowingly download a malicious file. SocGholish relies on social engineering tactics to trick users into executing a malicious JavaScript payload, granting the malware control over the compromised system. This malware has been active since April 2018 and poses a significant security and privacy risk to users.  

SystemBC: SystemBC is a malicious software that works as a proxy and remote access trojan (RAT). It serves as a network proxy for hidden communications and allows remote administration. SystemBC can be used to execute Windows commands and deliver and run malicious scripts or executables.  

Trickbot: Trickbot is one of the most prominent and persistent threats in the cybersecurity landscape. Initially targeting financial institutions, Trickbot has evolved to engage in various malicious activities, including credential theft, email harvesting, system reconnaissance, and distributing other malware, such as ransomware. It spreads primarily through spam emails, malicious attachments, or compromised websites. Once infected, Trickbot establishes a persistent presence on the victim's system and utilizes advanced techniques to evade detection and analysis, making it a challenging threat to mitigate. It has a wide range of capabilities and continues to be actively developed and updated by its operators, posing a significant risk to individuals and organizations worldwide.

Vidar: Vidar is a malware-as-a-service infostealer initially detected in late 2018. Designed for Windows, it can gather various forms of sensitive data from web browsers and digital wallets. Furthermore, Vidar is utilized as a downloader for ransomware. Since its inception, Vidar has established itself as one of the most prominent and successful infostealers in the cybercrime landscape.   

WSH RAT: WSH RAT is a type of remote access trojan (RAT) that utilizes Windows Script Host (WSH) scripting functionality for its malicious activities. It allows attackers to gain unauthorized access and control over infected systems remotely. WSH RAT can execute arbitrary commands, collect sensitive information, capture screenshots, record keystrokes, and perform other malicious actions, making it a significant security threat.    

XMRig: XMRig is a miner malware targeting victims' hardware to mine the cryptocurrency Monero (XMR). It utilizes anti-analysis and detection evasion techniques, making it difficult for traditional anti-malware software to detect. XMRig can overload processors, causing significant performance degradation, often the first sign of trouble for unsuspecting victims. XMRig is known for being part of a family of malicious miners with similar codebase variations, its wide range of delivery methods, and its ability to pair with other malware, such as ransomware and spyware.   

Xtreme RAT: Xtreme RAT, developed by 'xtremecoder' in Delphi, is a Remote Access Trojan active since 2010. Its leaked source code has made it widely available. With capabilities including file manipulation, process control, screenshot capture, and audio/video recording, Xtreme RAT has targeted financial institutions, telecom companies, gaming companies, and various other sectors, posing a significant threat to their security and privacy.

XWorm: XWorm is a commodity malware available for sale on underground forums and is equipped with a diverse set of features for extracting sensitive data from compromised systems. It can engage in clipper, DDoS, and ransomware activities, propagate through USB devices, and deploy secondary malware. Maintaining vigilance regarding malicious document files is crucial, despite the reduced usage of Microsoft Office documents in phishing emails due to default macro disabling.    

Zloader: Zloader is a sophisticated banking trojan that primarily targets financial institutions and their customers. It emerged in 2016 and has since evolved with advanced features and techniques. ZLoader spreads through various methods, such as phishing emails, exploit kits, or malicious downloads. Once installed on a victim's system, it operates stealthily, intercepts web traffic, and steals sensitive information such as login credentials, banking details, and personal data. ZLoader also can inject malicious code into banking websites to capture additional information. It poses a significant risk to online banking security and can lead to financial loss and identity theft for its victims.

Initial Access Vectors  

Malicious email: This type of intrusion uses email as a weapon to trick the recipient into opening an attachment, clicking on a link, or providing sensitive information. For example, an attacker may use phishing, spear phishing, or whaling to impersonate a trusted sender and steal credentials, install malware, or launch other attacks.  

Phishing email: This type of malicious email attempts to deceive the recipient into believing that the message is from a legitimate source and that they need to take some action. For example, an attacker may use deceptive phishing, vishing, or spoofing to lure the recipient into clicking on a malicious link, downloading a malicious file, or providing personal or financial information. 

Software/hardware vulnerability: This is a type of intrusion that exploits a weakness or flaw in the software or hardware of a system or device. For example, an attacker may use a buffer overflow, a code injection, or a backdoor to gain unauthorized access, execute commands, or install malware. 

 Stolen user credentials: This type of intrusion uses stolen or guessed usernames and passwords to access systems or accounts. For example, an attacker may use credential theft, credential stuffing, or brute force attacks to obtain valid credentials and bypass security measures.  

Third-party remote access tool: This type of intrusion involves using a legitimate or compromised tool that allows remote access to a system or network. For example, an attacker may use a VPN client, a remote desktop application, or a cloud service to connect to a target system and perform malicious actions