Skip to content
CryptographyEncryptionEncyclopediaCybersecurityTechnology

Criminals Take the Reins: The Role of Cryptography in Fuelling Cybercriminal Activities

1. The Hidden Threat of Cryptography: How Hackers Utilize RC4, AES, and Blowfish for Harmful Purposes

 and  Administrator
4 min read
1. Exploiting Encryption: How Hackers Misuse RC4, AES, and Blowfish
1. Exploiting Encryption: How Hackers Misuse RC4, AES, and Blowfish

The Sinister Side of Cryptography: How Cybercriminals Misuse RC4, AES, and Blowfish

Criminals Take the Reins: The Role of Cryptography in Fuelling Cybercriminal Activities

In the digital world, cryptography was designed to safeguard our communications, protect privacy, and secure transactions. Yet, these shields have been transformed into weapons by hackers who use them for bane rather than boon - for malware, credential theft, and concealing command-and-control channels.

1. The Hacker's Playground: RC4, AES, and Blowfish

1.1 RC4: A Favorite among Hackers - From KSA to Keystream Chaos

Introduced by Ron Rivest, RC4, or Rivest Cipher 4, has become a widely-adopted cipher for data encryption. Despite its popularity, it is not invulnerable. It is quick and lightweight, making it ideal for payload obfuscation and C2 traffic encryption, but this speed has also made it a target for malicious entities like TrickBot, Dridex, GandCrab, and WannaCry.

Working of RC4: How Malware like Dharma and WannaCry Take Advantage of its Speed
  • Key Scheduling Algorithm (KSA): In this phase, an array called S is initialized under the guidance of the KSA. The S array is eventually scrambled using the secret key.

S = [0, 1, 2, ..., 255]

j = (j + S[i] + key[i % key_length]) % 256

swap(S[i], S[j])

  • Pseudo-Random Generation Algorithm (PRGA): A series of pseudorandom bytes or keystream is generated via PRGA by updating, swapping, and extracting keystream bytes.

i = (i + 1) % 256

j = (j + S[i]) % 256

swap(S[i], S[j])

keystream_byte = S[(S[i] + S[j]) % 256]

  • XOR Operation: In this operation, a plaintext is combined with a keystream.

1.2 AES Revealed: Tracking Encryption Ghosts in Malware Code

The AES encryption algorithm can be traced while examining malware thanks to telltale lookup tables like the T-Tables or S-Boxes. Security researchers employ tools such as Find-Crypt, an IDA Python plugin used for detecting encryption patterns. This tool identifies encryption automatically, allowing for swift investigation.

REvil Ransomware Code Analysis

Spotting strings like Rijndael_inv_sbox within the components of a malware is another good clue of AES encryption usage.

1.3 Blowfish: The Malware Developer's Secret Weapon

Blowfish commences its encryption process through an intricate sequence of steps known as symmetric algorithms. The P-array is initially prepared by executing two loops 18 times. Subsequently, another loop is employed by both algorithms, which runs four times, each containing smaller loops aimed at setting up S-boxes by traversing 256 steps. S-boxes are utilized for data scrambling, as both algorithms share a base structure before initializing data encryption.

2. The Bitter Pill

Cryptography was meant to serve as our protector, yet it has become the hacker's tool. Encryption instruments like RC4, Blowfish, AES, and other cryptographic algorithms are the levers of ransomware assaults. It's high time we responded by cracking obfuscated code more swiftly, recognizing encryption footprints within malware, and surpassing attackers through relentless innovation.

Enrichment Data:

Hackers expose the weaknesses in encryption algorithms such as RC4, AES, and Blowfish to facilitate malicious activities, including ransomware attacks. Here's how they abuse these algorithms:

RC4

  • Weaknesses: RC4 is a stream cipher that faces biases in its initial keystream bytes, leading to cryptographic weaknesses. It was utilized in WEP (Wired Equivalent Privacy) for encryption, but its flaws were exposed in 2001 by Fluhrer, Mantin, and Shamir. They demonstrated that the short IV (Initialization Vector) and poor key management could enable attackers to recover the RC4 key used in WEP by eavesdropping on network traffic[5].
  • Exploitation: Hackers can misuse RC4's weaknesses by:
  • Key Recovery: In WEP, hackers can recover the key by analyzing network traffic, which can happen quickly if enough packets are intercepted[5].
  • Data Tampering: RC4's single-byte biases can enable attackers to manipulate encrypted data, potentially leading to attacks like the Bar-mitzvah attack when used in TLS[1].

AES

  • Weaknesses: AES (Advanced Encryption Standard) is generally secure when employed appropriately. However, its implementations can be vulnerable if:
  • Key Management: Poor key management, such as weak or reused keys, can compromise AES encryption.
  • Side-Channel Attacks: AES can be vulnerable to side-channel attacks, which exploit key-related information from the implementation rather than the algorithm itself.
  • Exploitation: Hackers typically exploit AES indirectly by:
  • Side-Channel Attacks: Exploiting vulnerabilities in the way AES is implemented, such as using power consumption patterns to deduce encryption keys.
  • Key Recovery: Gaining access to encryption keys through other means, such as exploiting software vulnerabilities or social engineering techniques.

Blowfish

  • Weaknesses: Blowfish is an older block cipher that, while secure in its time, has several weaknesses:
  • Key Length: Blowfish uses a maximum key size of 448 bits, which is short compared to modern standards like AES-256.
  • Brute Force Attacks: Blowfish's relative short key length makes it more vulnerable to brute force attacks compared to AES.
  • Exploitation: Hackers exploit Blowfish primarily through:
  • Brute Force Attacks: Attempting to guess the key by trying all possible combinations, which is computationally intensive but feasible with modern computing power.
  • Implementation Flaws: Exploiting any vulnerabilities in software that uses Blowfish for encryption.

Ransomware and Malicious Activities

  • Unauthorized Access: Hackers often gain unauthorized access to systems using exploits in encryption or software vulnerabilities. Once inside, they can encrypt data using robust encryption, demanding ransom for decryption keys.
  • Data Encryption: Weaknesses in encryption algorithms can be exploited to gain access to encrypted data, which hackers might then use for ransom demands or other malicious purposes.
  • Manipulation of Encrypted Data: Exploiting biases or weaknesses in encryption algorithms can allow hackers to manipulate encrypted communications, potentially leading to data breaches or other cybercrimes.

In short, while RC4, AES, and Blowfish each have their flaws, hackers typically exploit these weaknesses indirectly by targeting key management, implementation flaws, or using the encrypted data for ransomware attacks after gaining unauthorized access through other means.

  1. The use of RC4, AES, and Blowfish encryption algorithms has turned from protection to weaponization by hackers, as they bypass key management, exploit implementation flaws, and even manipulate encrypted data to launch ransomware attacks.
  2. As encryption instruments such as RC4, AES, and Blowfish are increasingly being misused, there is a pressing need for technological advancements in deciphering obfuscated code, identifying encryption footprints within malware, and outpacing attackers with relentless innovation in cybersecurity.

Read also:

    Related

    Latest