HP Report: Hacking Tool Downloads Jump in First Half of 2021

The hacking tools in wide circulation are surprisingly capable.

Edward Gately, Senior News Editor

July 27, 2021

4 Min Read
Downloading progress bar

A new HP report shows a 65% increase in the use of hacking tools downloaded from underground forums and filesharing websites during the first half of 2021 compared to the second half of 2020.

The HP report also shows a significant increase in the frequency and sophistication of cybercrime activity. The data was gathered within HP Wolf Security customer virtual machines during the first half of this year.

The hacking tools in wide circulation are surprisingly capable, according to HP. For example, one tool can solve CAPTCHA challenges to perform credential stuffing attacks against websites.

More broadly, the report found cybercrime is more organized than ever. Underground forums provide a perfect platform for threat actors to collaborate and share attack tactics, techniques and procedures.

Surprisingly Low Detection


HP’s Alex Holland

Alex Holland is senior malware analyst at HP.

“One of the more surprising findings was seeing how effective obfuscation can be at evading traditional detection technologies,” he said. “In March, we investigated a multi-stage obfuscated Visual Basic Script malware campaign that targeted senior business executives. An initial malicious script was used by the attacker to establish persistence on the victim’s computer and deliver secondary stages of malware. What surprised us was the low detection rate of the malware, with only 21% of antivirus scanners on VirusTotal detecting it as malicious at the time.”

The increase in hacking tool downloads likely points to growing attacker intent and capability, Holland said.

“The cybercrime ecosystem today is driven by ransomware affiliates, who have created demand for specialized services needed to conduct successful attacks, such as initial access to networks and malware distribution,” he said. “We believe this demand is having the effect of encouraging more financially-motivated criminals into cybercrime, feeding into increased levels of attacker desire and the expectation that attacks will succeed.”

Notable Threats

Among key findings in the HP report:

  • Cybercriminal collaboration is opening the door to bigger attacks against victims;

  • Information stealers are delivering nastier malware; and

  • A resume-themed malicious spam campaign is targeting shipping, maritime, logistics and related companies in seven countries. It exploits a Microsoft Office vulnerability to deploy the commercially-available Remcos remote administration tool (RAT) and gain backdoor access to infected computers.

“Threat actors are collaborating more than ever – be it buying and selling tools or access from each other, or coordinating attacks together,” Holland said. “The result is that organizations face risks from highly capable and experienced crews, making it harder to protect the endpoint. In response, we recommend organizations put comprehensive and resilient endpoint infrastructure and cyber defense measures in place.”

Features like hardware-based process isolation minimize the attack surface of systems, he said. It can contain threats from email, browsers and downloads, the most common attack vectors.

Other key findings in the report include:

  • Seventy-five percent of malware detected was delivered via email, while web downloads were responsible for the remaining 25%; Threats downloaded using web browsers rose by 24%. That’s partially driven by users downloading hacking tools and cryptocurrency mining software;

  • The most common email phishing lures were invoices and business transactions (49%), while 15% were replies to intercepted email threads;

  • The most common type of malicious attachments were archive files (29%), spreadsheets (23%), documents (19%) and executable files (19%); andThe report found 34% of malware captured was previously unknown, a 4% drop from the second half of 2020.

Assessing Risk

“One way to assess the risk posed by different types of threats is to consider the factors that drive and enable threat actors, such as desire, expectation, knowledge and resources,” Holland said. “The increase in hacking tool activity may indicate an increase in attacker intent, i.e. the desire to perform attacks and the expectation they will succeed. It also points to the widespread availability of hacking tools within the cybercrime ecosystem, i.e. the resources at attackers’ disposal. A big driver of why hacking tools are so easy to obtain is widespread malware piracy or ‘cracking,’ enabling anyone to use tools without payment – even if developers intended otherwise.”

One positive development is COVID-19-related phishing lures appear to be waning. They contributed to less than 1% of email phishing lures in HP Wolf Security telemetry.

“Malware distributors prefer to use lures that have proven effective generically across different regions,” Holland said. “So this could indicate that topical lures related to the pandemic have been less effective recently at tricking users into clicking malicious links and attachments compared to other types of lures.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:

VARs/SIsChannel Research

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like