In targeted attacks, during the lateral movement stage attacks try to gain access to other computers on the same local area network (LAN). One useful tool to achieve this is ARP spoofing, which can be used to carry out a variety of attacks to steal information as well as plant backdoors on other machines. We recently came across a tool that automates ARP attacks, as well as using these kinds of attacks to inject IFRAMEs into websites, deliver fake software updates, and disrupt SSL connections.
Hacking tools that automate ARP attacks are fairly common, so we well not delve too deep into all aspects. The tool can scan for live hosts on the LAN, which are then saved in an encrypted file. These IP addresses can then become the targets of ARP spoofing attacks.
For starters, this tool can be used to intercept network traffic and extract login credentials of network services. This particular tool that we saw, which we also detect as HKTL_ARPSPOOF , supports a variety of protocols. It has ability to steal the credentials from a wide variety of protocols, such as: FTP, HTTP, IMAP, NetBIOS, POP3, SMB, and SMTP.
For these protocols, the tool scans the network traffic to extract user names and passwords. These are then saved in an encrypted file, which the attacker can upload at their discretion. Because users frequently use the same password across different accounts, these credentials might be used across a wide variety of services, not just the ones they were captured off.
In addition to this, this tool is also capable of carrying out man-in-the-middle attacks against TLS/SSL traffic. If users are not wary and ignore warnings about invalid certificates, any credentials sent to sites that use TLS/SSL, instead of being “secure”, can be captured and used by an attacker. Many high-profile sites already force the usage of TLS/SSL when users attempt to log into their services.
This malware can also inject IFRAMEs into sites the user visits. It monitors the system’s HTTP traffic and injects an invisible IFRAME whenever possible. The results – as gathered in our testing – can be seen below.
Figure 1. Injected IFRAME
In this case, a (non-malicious) IFRAME was injected into the default web site of the HTTP server. An attacker could use this “feature” to send users to a malicious URL, where they can host a page with malicious code to exploit various vulnerabilities on the user’s system.
Fake Update Package
We constantly warn users to always ensure their software is up to date to help protect themselves. However, this tool exploits that to push malware to other users. This tool is also capable of using ARP spoofing to trick the system into thinking that an update for Windows Media Encoder 9 is being offered to the user; however this file is actually malicious.
Figure 2. Fake update code
One function of this tool offers a potential clue as to the identity of the persons responsible for it. A portion of the code is specifically targeted at users of the Central Tibetan Administration, which relies on Google Apps to provide email for its users.
Figure 3. Code for specific target
The capabilities of this tool highlight the effectivity of ARP spoofing to steal information, particularly login credentials. These can be very useful in conducting lateral movement.
IT administrators should consider retiring old, unencrypted protocols in favor of newer, encrypted ones, as these resist attack better than their predecessors. However, user training should also emphasize the importance of listening to alerts about invalid certificates, as these can indicate serious security problems.