Dark Utilities: Platform offers Command&Control as a Service
by Tina Siering
What is "Dark Utilies" - and how does the C2aaS platform increase the threat level for organizations?
Since February 2022, Cisco Talos security specialists have had a new platform under permanent observation. Dark Utilities, as it is called, was able to gain over 3000 registered customers in a very short time. The reason for its popularity: Dark Utilities offers cybercriminals low-threshold, simple and inexpensive access to an existing control server infrastructure. Cisco Talos calls the platform "Command & Control as a Service" (C2aaS). The service is hosted on both the Clear Internet and Tor networks, and cybersecurity experts suspect it will grow significantly again in the near future.
Starting at €9.99 per month, cybercriminals gain access to the infrastructure hosted on Clear Internet as well as payloads with Windows-, Python- and Linux-based implementations on the Tor network. A convenient dashboard can be used to plan cyberattacks and execute commands on compromised machines via a dedicated admin area. Without any development effort, cyber attackers are able to carry out attacks with Dark Utilities - and technical support is even conveniently available via Telegram and Discord for upcoming questions or problems.
For the low entry price, cybercriminals can access a powerful command and control infrastructure and maintain continuous communication to the servers in the process, so that the infected system remains available for the new owners' activities. In addition, you get the appropriate client software and pre-built payloads for DDoS attacks or crypto mining, for example. In short, newcomers to the cybercrime scene or criminals without much know-how and corresponding resources are lured in with an easily accessible, cheap system including support.
What attacks are possible via the platform on infected systems?
As a service platform, Dark Utilities offers very flexible handling of the victims' target systems. Windows- and Linux-based systems can be equally attacked with the pre-built modules. The platform's modules are largely implemented in Python and can independently determine which system they are currently being used on. DDoS attacks are just as possible with the modules as comprehensive remote access including command execution on compromised devices. Crypto-mining operations also run through the C2aaS platform.
Dark Utilities is powerful, exceedingly cheap - and quite secure. That's because the platform relies on the decentralized peer-to-peer "Interplanetary Filesystem" file system to host payloads. The Interplanetary Filesystem enables access to content on the Internet without the installation of client software - a mode of operation familiar from the Tor2Web gateways. This makes tracing by law enforcement agencies and removal of content extremely difficult to impossible.
What benefits do cybercriminals gain from Dark Utilities?
Cybercriminals - especially beginners or cybercriminals without resources and deep expertise - benefit in several ways from the Dark Utilities C2aaS platform. On the one hand, no own server infrastructure is necessary for the execution of cyber attacks, on the other hand, the development effort can also be completely outsourced. This reduces the cost of cyberattacks enormously - and allows systems to be compromised even without their own command & control servers. The dark utilities provider backs customers with comprehensive technical support via its own Discord and Telegram communities. The problem that arises: Even inexperienced cybercriminals are given a tool with which to inflict great damage - the already greatly increased threat potential for organizations rises further as a result.
How organizations protect themselves from the new dangers posed by the C2aaS platform "Dark Utilities".
Good news: As basic protection, companies and private users should definitely implement firewalls and virus scanners - and keep them up to date with updates. The same applies to operating systems and software, which should be used in the latest version. Regular patching and updating is mandatory in order to identify and close any security gaps that may exist and thus offer cybercriminals as little attack surface as possible. Technical security measures can be supplemented by regular security audits - which strengthen the "human firewall" in particular. Increased awareness among all company employees of the dangers that can arise from cybercrime is probably the most important protection against attacks from the network. Regular pentests can be used to put the company's security architecture to the test. Security leaks can be detected and subsequently closed.
Many companies are also discussing the introduction of their own SIEM or the integration of a SOC team into IT security. SIEM and SOC significantly expand the defense options in the area of cyber attacks, but both options are also extremely personnel- and cost-intensive. Significantly less expensive, but no less effective, is Allgeier secion's proactive hacker defense - the Active Cyber Defense (ACD) service. An experienced team of threat hunting and incident response experts continuously analyzes corporate networks for anomalies, identifying cybercriminals' communications with command & control servers. The service is available as a managed service and provides the security of an external SOC team - around the clock, 365 days a year. This allows IT security costs to be reduced without sacrificing much-needed protection against cyberattacks.
Conclusion
Dark Utilities provides a cloud platform that makes cyberattacks easier than ever. Without deep expertise and with minimal effort, even "beginners" can carry out serious attacks on companies, organizations and individuals. individuals. Dark Utilities is currently already used by over 3000 paying "customers" - and the platform is expected to grow even more in popularity on the scene in the coming months. For reliable protection against cyber attacks via the platform, the use of treat-hunting tools, careful awareness training of all employees - and early attacker detection are recommended. With ACD, Allgeier secion offers a "managed detection and response" service.
The threat hunting and incident response solution actively searches for conspicuous activities in your network and informs you 24/7 about security-relevant incidents. This lets you know early on when you're a target for cybercriminals and defend against attacks. The solution is available at a fixed monthly price and thus offers financial planning security.
Need help upgrading your IT security for 2022? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.