Cybersecurity Specialists Created the Hopper Worm to Protect against Other Worms
The Cymulate development team announced that they created the Hopper worm to protect users from attacks by other worms.
Worms are the most destructive force in the field of information security, bringing multi-million-dollar damage to companies. Despite this, there are viruses that are beneficial. Hopper is such a virus.
Let me remind you that we also reported that The New AI system thatDot Novelty Detector Speeds Up Detecting of Malicious Activity.
Detection tools are not good at detecting non-exploit-based distribution, which is what worms do best. Most information security solutions are less resistant to worm attack methods, such as the use of an impersonation token (token impersonation – allows you to perform any actions on behalf of another user), and others that take advantage of imperfect internal configurations – a set of PAM libraries, segmentation, insecure credential storage data, etc.
Hopper is a worm with command and control, built-in privilege escalation, and many of the most dangerous abilities of a self-replicating virus.
“Unlike most worms, Hopper was created to do good.” Hopper tells his White Hat operators where and how he managed to infiltrate the network.
He reports how far he has come, what he has found along the way, and how to improve the defense.
The Cymulate development team created Hopper around a stager, a small executable file, as an initial payload that prepares a larger payload. The stager also serves as a PE packager (a program that indirectly downloads and executes programs from a package). The stager has been written so that the initial payload does not need to be changed after Hopper is updated.
To maximize Hopper’s flexibility, the Cymulate team has added various initial execution methods, communication methods, initial payload retrieval methods, various injection methods, and more.
To create a stealth worm, the developers made the configurations that are almost completely operator-controlled:
- Initial payload configuration – fully customizable execution methods, including executables, libraries, Python scripts, shellcodes, PowerShell scripts, etc.;
- First stage payload configuration – custom methods for receiving and injecting packets;
- Second stage beacon configuration – configured communication channels and keepalive timeout, as well as jitter (delay fluctuations, meaning that packets are sent and received at different rates);
- API – Adding new features over the air, including communication methods, propagation methods, and exploits.
Hopper’s initial deployment is in-memory and staged. The first stage is a small stub with limited features. The stub runs a more important piece of code instead of containing the code inside itself, making it harder to mark a file as malicious.
For privilege escalation, the authors chose different methods to bypass UAC, using vulnerable (print spooler) and misconfigured services, as well as autorun for privilege escalation or network persistence. Hopper uses minimal privileges to achieve its goals. For example, if a machine grants a user access to a target device, Hopper might not elevate privileges to propagate on the device.
Hopper has centralized credential management, allowing it to distribute data across instances. All variants of Hopper have access to the collected credentials, so there is no need to duplicate the confidential database on other machines.
Hopper uses incorrect exploit configurations to spread. Misconfiguration is difficult to detect as malicious activity. For example, incorrect Active Directory settings can open access to a resource. Also, incorrect software settings can allow the user to execute code remotely.
The Cymulate team chose in-memory execution for Hopper because in-memory execution uses direct system calls instead of API calls that can be tracked by EDR products. If the Hopper really needs to use the API functions, it detects and unloads EDR interceptors first.
To maintain stealth, Hopper contacts the C2 server during business hours, disguising the activity as normal work activity. It also only communicates with servers on the allowed list (such as Slack, Google Sheets, or other public services).
To prevent worm attacks, the Hopper White Hat is the ideal solution. Hopper turns the power of the worm into a real defense tool.