Where Do Hackers Hide? Here Are the Surprising Facts

Cybercrime is on the rise, with computer hacks becoming so common that everyone has to deal with them at least once in their lifetime. Hackers have advanced the way they attack, and they’re no longer just using simple pranks that existed in the earlier days. 

Cybercriminals today take the time to orchestrate their moves to enhance their chances of succeeding in the attacks. They aim to pose severe and damaging threats to users’ data. One of the things attackers do in preparation for an attack is to find a suitable Launchpad. In so doing, they obfuscate the source of the attack. 

One way cybercriminals mask themselves is by compromising organization networks and servers. The nodes serve as the springboards for further electronic attacks. According to one security expert, the most important thing is for users to recognize the tactics of an attacker. They are consistently working behind the scenes to set up shadow infrastructures. 

Other attacks are propagated through spoofed email messages trying to dupe unsuspecting users into clicking on malicious links. If the messages arrive from well-known bad actors, the ploys don’t go very far, and this tends to raise the alarm. As such, attackers must disguise themselves by burrowing into innocuous networks. 

How, then, do attackers conceal their identity? Here are the most common methods, as revealed by security experts. 

  1. Small Business Networks

An illustrative example has it that some nation-backed foreign nation hackers took control of a saddle-maker’s out-dated Windows 2003 server. They used this access to move to other servers laterally. The more access they gained to other servers, the more they were able to send spear-phishing emails to a large number of targets. In this case, the hackers targeted contractors of the U.S Department of Defence. 

Unfortunately, most people assume that only large internet service providers like Google and Verizon provide leverage for attackers to strike. However, the truth is that the attacks can come from anywhere. 

  1. Public Schools Networks

Earlier in 2016, attackers took advantage of a vulnerable web application on a server belonging to a public school. They broke into them and after bouncing around the networks, they installed more backdoors through which they launch more attacks. 

  1. Social Clubs

It’s not uncommon for clubs to have Wi-Fi connection for their patrons. Knowing this, cybercriminals exploit these connections to distribute malware to anyone connected to the network. 

Hackers work by luring users into a space they’re likely to go for social reasons. They then piggyback into the corporate networks later. 

  1. SCADA Facilities

SCADA facilities refer to supervisory control and data acquisition. It’s a computer system used for gathering and analyzing data. The systems are used in plant or equipment industries like telecommunications, energy, water and waste control, and transportation, among others.

In the same year, 2016, one of the victims of hacking was an unnamed industrial equipment manufacturer. The attackers absconded heaps of data from the company, which they later recycled to gain access to the network. This was part of their supply chain attack in which they sent emails targeting other companies. 

The attackers knew that the victims are likely to open emails from supposedly trusted sources, like their business associates. The attack affected between 50 and 80 machines belonging to different organizations.

While these are the most common systems, hackers hide behind, their options are diverse. Antivirus and anti-malware solutions are among the most commonly used solutions against cyber-attacks. However, new malware samples seem to make it past the legacy solutions daily. 

The IT industry witnesses between 300,000 and 1 million new malware entrants each day. This doesn’t mean that criminals are continually manufacturing millions of new viruses, Trojans, or worms. There are probably thousands of malware families in existence. The variations probably come from malware evasion techniques that make each type of malware appear new again to evade security measures. 

Besides hiding behind supposedly trustworthy networks, hackers combine their tactics with high-level evasion techniques to hide malware from victims and security software. 

I) Packers

A packer is a program that makes an executable file smaller by compressing it. It wraps the compressed executable in the code in a way that it can decompress itself at runtime. Once it has been compressed, the executable changes the way it looks. 

Detection of the malware relies on automated systems of malware researchers finding a pattern in a known malware file. This could be the number of binary patterns or a hash. Once identified, it can be used to create a unique identifier for that specific malware. 

Take note that there are some legitimate uses for packers. In some cases, they are used to make executables smaller and hence harder for pirates to engineer codes in reverse. The packers are also sometimes used to hide malware from users’ antivirus. An antivirus program can detect packing, but since it’s legitimate to pack executables, the antivirus may be unable to decide if something is malware. 

II) Crypters

A crypter is an almost similar application to a packer but comes with additional obfuscation or encryption. Just like a packer, the program aims to change the binary blueprint of a file to escape security detection. It works by encrypting the original algorithm of an executable using an encryption algorithm. 

It then creates a stub, which is the initial program containing everything needed to decrypt and run the actual embedded payload. Attackers use different sets of crypters from the black market. There are also several free ones like the famous one Veil-Evasion Framework.

Both packers and crypters come with some presenting issues. Both programs protect malware from static analysis but not from dynamic analysis. Static analysis is performed on files that haven’t been executed yet. 

Since you want to stop malware before it attacks your system, most antivirus products scan files as they pass through networks or get copied onto a file system. Unfortunately, static analysis reduced the potential of AV to learn as much as it can about that particular file. This is because the data could be crypted or packed. 

Dynamic analysis refers to detection techniques applied after a file has been executed. It allows a user to see the malware code in memory and take note of other things it does. A packed or crypted file has to decrypt or unpack itself to run. As such, programs using dynamic analysis can easily recognize the malware once it runs. 

Besides, once antivirus companies learn how to detect particular packers or stubs for packers, they can detect malicious files without having to see the decoded binary.

Unfortunately, packers and crypters continue to evolve against antivirus software. They now use techniques such as decrypting small portions of the real payload in memory, which makes it a lot harder for AV products. 

III) Polymorphic Malware

Polymorphic malware repeatedly used packing and crypting methods to change its outlook. However, instead of using static keys as most crypters do, the polymorphic malware uses more sophisticated encrypting algorithms with random decoders, keys, and variables. 

The malware mutates itself every time it copies itself to a new location. This enables criminals to set up servers that automatically morph their malware variants before sending them to a new target. Server-side polymorphic malware is highly popular and accounts for the most significant number of the majority of daily malware variants.

IV) Downloaders, Droppers, and Staged Loading

Droppers are staging programs that are now commonly in use by several types of malware. Their purpose is to learn as much as they can about a system before installing the actual malware. Some of the droppers in the market scope out a system first to avoid creating security alerts when they download and install the malware. 

Alternatively, they may kill security processes or check to see if they’re running on a virtual system. Another approach they use is to download secondary payloads using encrypted back channels. The aim is to avoid being detected and hence inject malware directly into known Window processes. 

© Malwarebytes Labs

Malwarebytes blocks Trojan.Dropper

Fortunately, antivirus developers and new programs can be designed in a way that they can defend themselves from dropper techniques. 

These are the most common techniques that hackers use to take over the previously mentioned systems. The tactics are relatively basic but very useful.

How to Tell if Your System Has Been Hacked

It’s obvious that both personal and organization systems can fall in the hands of attackers. The question is why anyone would want to hack your system, but the answer lies in the fact that they want to disguise themselves to make their attack easier.

You must learn to recognize when your system is under attack to take the necessary measures. Here are some common tell-tale signs of a hacked system. 

Frequent Random Pop-Ups

© 2-Spyware

This happens to be one of the most definite signs that a computer is infected with malware. The more frequent the annoying pop-ups are in your web browser, the worse the situation. Be especially wary if they show up on sites that generally don’t generate pop-ups.

Antivirus Shutdown

Some types of malware take over your antivirus software and disable it. If you notice that your antivirus is no longer working and can’t open in the task manager, it most likely has been compromised. Re-enabling it is usually almost impossible. 

Programs You Didn’t Install Show Up

Sometimes, malicious software will disguise itself as legitimate software and slip into your computer. This usually happens with the help of worms or malware that attach to programs as they get installed. If you notice an unknown application on your system, it’s most likely malware.

Passwords No Longer Work

If you can’t sign in to your accounts with the correct passwords, there are high chances that you’ve been locked out through a phishing trap. A common trick is for attackers to send an email that looks authentic from your service providers. They’ll ask you to update your password, and if you fall for the trick, they gain access to your account.

Fake Emails from Your Account

© SecurityMetrics

This whole email was a gigantic hyperlink, so if you clicked anywhere in the email, you would initiate the malicious attack.

Once a virus gets into your email account, it may try to spread to other accounts by sending fake emails to your contacts. Counterfeit emails sent through your account may not automatically mean your account has been hacked, but it’s essential to be on the lookout.

What to do if Your System Has Been Hacked

Upon realizing that your system or computer has been hacked, you need to take the necessary measures immediately. One of the steps is to run a full virus scan to detect the malware in action. If the antivirus has been compromised, ensure to uninstall the old version and install a new one, probably from a different brand. 

Next, review all the applications installed on your computer. If there’s any that doesn’t look legitimate, uninstall it right away. Thirdly, change all your online account passwords. Avoid using dictionary words, short words, or your name for a password. 

Make your online behavior safer by

  • Using two-factor authentication
  • Using a VPN to browse privately and securely
  • Using a password manager to keep your passwords safe
  • Clearing browser cookies regularly
  • Avoid clicking on unknown or suspicious links

For an even better online experience, don’t wait until you get hacked to take protective steps. Always take steps to enhance your security and keep your systems updated. 

Take Away

Modern-day cyber criminals are investing a lot of time in coming up with new places to hide before launching an attack. They aim to be as discreet as possible and hence take advantage of systems that their targets can hardly suspect as malicious. 

Some of the systems that they have successfully taken over are social clubs, public schools, business accounts, and cooperate systems. Sometimes they also take over individual accounts and send malicious software to the contacts in that account. 

To enhance their disguise, hackers make use of various programs like packers, encrypters, downloaders, and polymorphic malware. Ensure that you’re not exposing your system to cyber-attack by ensuring you install the latest updates. Use reliable and robust antivirus programs, and avoid clicking on links that don’t look familiar to you.

Leave a Comment