Security News > 2022 > March > Hackers fork open-source reverse tunneling tool for persistence
As detailed in a report sent to Bleeping Computer by Security Joes, the threat actors observed in an attack against one of its clients in the gambling/gaming industry where a mix of custom-made and readily available open-source tools were used.
The most notable cases are a modified version of Ligolo, a reverse tunneling utility that's freely available for pentesters on GitHub, and a custom tool to dump credentials from LSASS. Attack in the wild.
One notable differentiation is the deployment of 'Sockbot', a GoLang-written utility based on the Ligolo open-source reverse tunneling tool.
"Comparing the new variant to the original source code available online, the threat actors added several execution checks to avoid multiple instances running at the same time, defined the value of the Local Relay as a hard-coded string to avoid the need of passing command line parameters when executing the attack and set the persistence via a scheduled task." - Security Joes.
Another case of particular interest is 'lsassDumper', a custom tool also written in GoLang, used by the actors for automatic exfiltration from the LSASS process to the "Transfer.sh" service.
Finally, the network infiltrators used ADFind for network reconnaissance, a freely available tool that adversaries use to gather information from the Active Directory, also very common in the ransomware space.