Attackers fooled by honeypot: researchers reveal five hacker factions

Updated on: 11 August 2023

Ernestas Naprys
Senior Journalist

A honeypot for cybercriminals, set up by two security researchers, tracked cyber attacks for three years. Over twenty thousand recorded sessions helped them to understand and describe the five main classes of hacker.

The honeypot revealed how crooks install malware, mine cryptocurrencies, abuse servers for DDoS attacks, and conduct fraud campaigns.

According to a report shared by GoSecure, two researchers, an engineer and a crime data scientist collected more than 190 million events, 100 hours of video footage, and 470 files used by threat actors, all of which came from 20,000 Remote Desktop Protocol (RDP) connection captures. This occurred within a three-year observation period.

RDP is a critical attack vector used by cybercrooks, including ransomware groups.

To study cyber attacks as they unfold, the researchers created an open-source RDP interception tool with “unmatched screen, keyboard, mouse, clipboard and file collection capabilities.” They share the tool called PyRDP publicly.

They used the data collected to classify opportunistic attackers into different groups. Understanding and characterizing different types of attackers allows them to collectively focus attention on the most popular modus operandi and the more sophisticated threats.

“This presentation demonstrates the tremendous capability in RDP, not only for research benefits, but also for law enforcement and blue teams. Law enforcement could lawfully intercept the RDP environments used by ransomware groups and collect intelligence in recorded sessions for use in investigations,” researchers write.

On the other hand, cybersecurity defense teams can work with indicators of compromise (pieces of evidence suggesting a potential security breach or malicious activity) to further protect their organization. Honeypots not only provide a view of various attackers' tradecraft but also may slow them down, scaring them into changing their strategies. This would affect the cost-benefit analysis of their deeds and would thus benefit everyone.

“In the next couple of months, we will detail the tools used by the different threat actors in our attackers’ weaponry blog post series,” the researchers promised.

To describe five types of attackers, they used the classes from the popular game Dungeons & Dragons (DnD):

Rangers: explore all computer folders, check the network and host performance characteristics, and run reconnaissance by clicking or using programs/scripts. No other meaningful actions are undertaken. One ranger in action is depicted in a recorded session on YouTube.

“Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later,” researchers write.

Thieves: aim to monetize the gained RDP access. After taking control of the computer, they change the credentials and perform different activities to take advantage of their access. To achieve something of value, they use tools like traffmonetizer (proxyware), monetized browsers (participating in pay-to-surf schemes), install and use crypto miners, download Android emulators (mobile fraud), etc. 

Barbarians: use a large array of tools to brute-force their way into more computers. For them, one compromised system is leverage to attempt compromising other systems. They work with lists of IP addresses, usernames and passwords.

Here is one brute, using Masscan, a brute-forcing tool.

Wizards: care about their operational security. Wizards use the RDP access as a portal to connect to another computer that was compromised in a similar fashion. They hide their identity via jumps over compromised hosts.

“To do so, they demonstrate a high level of skill by carefully living off the land. Being able to monitor and see the actions of these attackers is of utmost importance for threat intelligence gathering, enabling defenders and researchers to reach deeper into compromised infrastructure,” GoSecure described.

Bards: lack of apparent hacking skills doesn’t stop those wannabe hackers. Bards access the system to accomplish basic tasks like looking for viruses through a simple Google search or watching pornography.

“The evidence shows that they might have bought RDP access from someone who has compromised the system for them, aka Initial Access Brokers (IABs).”