Threat Actors Favor Rclone, WinSCP and cURL as Data Exfiltration Tools

Written by

Data exfiltration is critical in double extortion cyber-attacks, which have become the new gold standard of ransomware attacks.

In a new report, ReliaQuest found that Rclone, WinSCP and Client URL (cURL) were the top three data exfiltration tools utilized by threat actors between September 2023 and July 2024.

Data exfiltration, the unauthorized transfer or retrieval of data from enterprise or personal devices, may include threat actor–owned infrastructure or third-party cloud services.

To do so, threat actors usually use legitimate or custom tools that allow them to collect and extract a large amount of data, then threaten their victim with leaking the data if it refuses to pay the ransom.

According to ReliaQuest, most of the high-profile ransomware groups, such as LockBit, Black Basta and BlackSuit, favor the use of the aforementioned top three tools.

Others, like Inc Ransom, prefer using more atypical tools, such as legitimate file management tools and remote monitoring and management (RMM) software.

Top Data Exfiltration Tools

Rclone

Rclone is a legitimate open-source command-line utility that allows users to synchronize files with various cloud storage providers and established infrastructure, such as file transfer protocol (FTP) servers.

It is also the most popular exfiltration tool used by threat actors, with 57% of ransomware incidents involving the tool during the reported period.

Rclone’s appeal comes from its fast data-transfer capabilities and versatility.

For instance, Rclone can integrate with numerous cloud services, including Google Drive, Amazon S3, and Mega, along with protocols like FTP, complicating mitigation strategies for defenders.

Rclone also runs on Windows, Linux and macOS, and can easily automate operations, making it very efficient for large data transfers.

“Its legitimacy as a backup tool used by IT professionals aids threat actors in avoiding detection or raising the alarm,” ReliaQuest added in its report.

WinSCP

WinSCP is an open-source file-transfer utility for Windows that offers similar functionalities to Rclone but distinguishes itself with its user-friendly interface.

While WinSCP focuses on transfers from local to remote locations, Rclone is a command-line tool designed for managing files across various cloud storage services.

WinSCP is widely used within organizations and is a trusted, legitimate tool, which reduces suspicion when found on an endpoint. Its portability and scripting capabilities facilitate efficient data transfers, whether automated or manual. Additionally, WinSCP’s effective error handling and logging features ensure the successful exfiltration of specified data.

cURL

Client URL (cURL) is a command-line tool used to transfer data by specifying the destination through a URL.

It supports protocols such as HTTPS, FTP, and SFTP and is commonly used for tasks like downloading or uploading data and interacting with web services. It is cross-platform and available on Windows, macOS and Linux.

“cURL is also native to Windows 10 version 1803 and later, which means threat actors do not need to ingress cURL into a target environment, allowing them to ‘live off the land,’” added ReliaQuest.

Compared to Rclone and WinSCP, cURL is not as reliable for large-scale data-exfiltration operations. However, it can serve as a very effective tool for exfiltrating critical information about a target organization.

In May 2024, ReliaQuest observed the Black Basta ransomware group leveraging cURL in conjunction with the cloud storage domain temp[.]sh to successfully exfiltrate sensitive data from an organization.

Other Data Exfiltration Tools

Outside these three tools, threat actors use a range of different tools to exfiltrate data.

These include file storage and file transfer tools (MEGA Cloud Storage, FileZilla), backup programs (Restic) and remote monitoring and management (RMM) software.

“It is important to also consider tools capable of exfiltrating small amounts of data and the persistent threat of custom exfiltration tools,” ReliaQuest researchers concluded.

Read more: Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach

What’s hot on Infosecurity Magazine?