A cybersecurity company based out of the United States has detected a new malware campaign of hackers becoming the target of other hackers who infect and repackage popular hacking tools with their own brand of malware.
Boston-based Cybereason Nocturnus says it is investing a campaign where attackers are “trojanizing multiple hacking tools with njRat, a well-known remote access trojan (RAT) whereby the campaign gives the attackers total access to the target machine. What is the purpose of this latest spate of cybercrime is not yet clear.
In a blog post by researcher Amit Serper, the company says that the threat actors behind this campaign are posting malware embedded inside various attacking tools and cracks for those tools on several websites. “Once the files are downloaded and opened, the attackers are able to completely take over the victim’s machine,” it says.
Serper is quoted by TechCrunch to suggest that it did not appear to be just a case of hackers targeting other hackers. The repackaged tools were not only opening a door into the hacker’s systems, but also into any other system that the specific cybercriminal had previous breached. So, in some ways it was a thief running away with the bounty of another thief.
In other words, those who are hacking the cybercriminals would automatically get access to all the assets that they have garnered by hacking into other systems. This appears to be quite a dangerous trend whereby one’s data could end up with multiple hackers across the world who could then be selling them to bidders of all hues.
Serper says that the RAT being used by the hackers has been in existence from at least 2013 where it was used against targets in the Middle East region through phishing emails and infected flash drives. Three years ago, the hackers had also used the same tactic to host malware on websites used for Islamic propaganda.
The report says that attackers have already compromised several websites by populating the njRAT malware samples. The author of the blog is of the view that the process of injecting the RAT has been occurring on a daily basis and could be automated. Which means that there might as well be no human interaction to the entire process. The key points that Amit Serper brings forth in the report are:
- Widespread Campaign: We have found a widespread hacking campaign that uses the njRat trojan to hijack the victim’s machine, giving the threat actors complete access that can be used for anything from conducting DDoS attacks to stealing sensitive data.
- Baiting Hackers: The malware is spreading by turning various hacking tools and other installers into trojans. The threat actors are posting the maliciously modified files on various forums and websites to bait other hackers.
- Using Vulnerable WordPress Websites: The threat actors are hacking vulnerable WordPress installations to host their malicious njRat payloads.
- A “Malware Factory”: It seems as if the threat actors behind this campaign are building new iterations of their hacking tools on a daily basis.
In conclusion, the report says:
- This investigation surfaced almost 1000 njRat samples compiled and built on almost a daily basis. It is safe to assume that many individuals have been infected by this campaign (although at the moment we are unable to know exactly how many). This campaign ultimately gives threat actors complete access to the target machine, so they can use it for anything from conducting DDoS attacks to stealing sensitive data off the machine.
- It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs. Others appear to be the infrastructure owned by the threat group, judging by multiple hostnames, DNS data, etc.
- At the moment, we are unable to ascertain the other victims this malware campaign is targeting, other than those targeted by the trojanized hacking tools connecting to the “7777 server”. We will continue to monitor this campaign for any further developments.