The hacking community has been warned to be alert to cyber criminals turning popular hacking tools into a means to spread remote access trojans (Rats), in a newly uncovered campaign discovered by threat researchers at Cybereason’s Nocturnus lab.
The campaign exploits the well-known and widely used njRat trojan – which is also known as Bladabindi – which was developed by Middle Eastern threat groups between seven and eight years ago. If opened, NjRat takes over the victim’s machine and can be used to extract system information, execute and manipulate files, open remote shells to let attackers use the command line, record from cameras or microphones, log keystrokes, and steal stored passwords, among other things.
The new campaign spreads njRat by injecting it into downloadable hacking tools and other installers, said Cybereason. These tools are being posted on various underground forums and websites to bait other hackers into falling “victim” to njRat.
The firm believes the campaign has been running for a considerable length of time and appears to be the product of a so-called “malware factory” which is churning out new iterations of the various compromised tools on an almost daily basis, possibly using some degree of automation.
“This investigation surfaced almost 1,000 njRat samples compiled and built on almost a daily basis. It is safe to assume that many individuals have been infected by this campaign although at the moment we are unable to know exactly how many,” said Amit Serper, Cybereason’s vice-president of security, in a disclosure blog.
“This campaign ultimately gives threat actors complete access to the target machine, so they can use it for anything from conducting DDoS attacks to stealing sensitive data off the machine.”
The campaign poses a threat beyond the confines of the hacker community because if a victimised hacker already has access to your system, the hacker who hacked them will also have access to your system.
Read more about cyber criminals
- The latest email campaigns identified by Proofpoint are spreading conspiracy theories about the coronavirus outbreak.
- The popularity and ubiquity of web-based apps such as Office 365 and Salesforce is a temptation too good to miss for cyber criminals.
- Cyber criminals are spending longer hiding in target networks before launching their attacks, as more organised groups turn to business disruption to achieve their objectives.
In the campaign, njRat masquerades as a legitimate Windows process and was found to be connecting to two IP addresses, one of a compromised Wordpress site belonging to a legitimate Indian pen manufacturer, and another to Minecraft site located in Turkey that since late 2018 has been re-registered by an individual in Vietnam, who may be associated with the campaign.
“It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs,” said Serper. “Others appear to be the infrastructure owned by the threat group.”
Cybereason found that all the njRat samples associated with the Turkish-Vietnamese site were targeting penetration testing and hacking tools, although the campaign is by no means targeting just the hacking community – it also seems to be targeting Chrome installers, native Windows apps, and some other programs that have nothing to do with hacking or penetration testing.
“At the moment, we are unable to ascertain the other victims this malware campaign is targeting, other than those targeted by the trojanised hacking tool,” said Serper, who is continuing to monitor the campaign.
Cybereason has published a lengthy list of indicators of compromise (IoCs), which can be downloaded from its website.