Cybercriminals up their game as ‘cracking’ drives big rise in hacking tool downloads

Availability of hacking tools allowing anyone to use them without paying

Cybercriminals are supercharging their hacking skills, a new report says.

The widespread availability of hacking tools in the cybercrime ecosystem is being driven by widespread malware piracy or "cracking," allowing anyone to use tools without paying, HP Wolf Security said in a new report.

In the first half of this year, there was a 65% increase in hacking tools downloaded from filesharing websites and underground forums compared to the second half of 2020, the report said.

Ticker Security Last Change Change %
HPQ HP INC. 31.30 +0.41 +1.33%


The top malware delivery file type in the first half of this year were archive files, such as ZIP files, while Excel spreadsheets were the second most popular file type for malware delivery, according to the report.

Behind all of this are underground forums and chatrooms where bad actors share tactics, techniques and procedures and/or buy and sell stolen data or unauthorized access.

Long list of stealthy malware

In March, HP Wolf Security detected a user downloading a cracked copy of Sentry MBA from a Turkish-language cracking forum. This is a popular hacking tool is used for credential stuffing, a tactic where hackers try to break into accounts using stolen lists of credentials such as usernames and passwords. Sentry MBA takes advantage of a bad habit among average users: using the same password for multiple accounts.

As part of a "multi-stage Visual Basic Script (VBS)" malware campaign, senior business executives were targeted via email with a malicious ZIP attachment using their first and last names. 

"Only 21% of anti-virus scanners…detected it as malicious," the report said.  


An information stealer, called CryptBot, was repurposed to drop a banking Trojan, DanaBot, "as a follow-up infection," the report said. DanaBot is a family of malware associated with the financial crime group TA547. Criminal groups regularly repurpose malware to deploy other malware, the report said.  

"Snake" is a keylogger – malware that records keystrokes – and a credential stealer. Malicious spam campaigns distributing this malware family have been regularly spotted by HP researchers. An analysis of Snake’s code revealed similarities with other keylogger families. 

"This ‘remix’ behavior of opportunistically copying source code from established malware families demonstrates how easy it is for cybercriminals to create their own malware-as-a-service businesses," the report said.