Shadowy threat group piggybacks on their peers’ efforts with trojanized hacking tools
A cyber threat group has been boobytrapping underground forums with trojanized hacking tools in a campaign lasting several years, according to research published today.
The attackers’ weapon of choice, the investigation by Cybereason Nocturnus reveals, is njRat – a remote access trojan (RAT) used to hijack a victim’s machine to perform keylogging, take screenshots, manipulate and exfiltrate data, and conduct webcam and microphone recording.
Anyone downloading the maliciously modified hacking tools – potentially for nefarious ends – will then unwittingly become victims themselves, with njRat giving attackers access to sensitive data and a platform for launching DDoS attacks, Cybereason suggests.
The ongoing investigation has surfaced almost 1,000 njRat samples and is uncovering new iterations on a daily basis.
“These files propagated quite a lot around various websites,” Amit Serper, principal security researcher at Cybereason, told The Daily Swig.
As well as using their own infrastructure, the threat actors have commandeered vulnerable WordPress domains to host malicious njRat payloads.
Around 700 samples contacted one such domain – a former Turkish gaming website dedicated to the Minecraft video game that was re-registered by a Vietnamese individual in 2018.
While Cybereason could not definitively tie this individual to a subsequent association of the domain with malware, the researchers also discovered and traced frequent scanning of malware samples, via VirusTotal, to an IP address in the same country.
‘Baiting other hackers’
The trojanized hacking utilities, some of which were being offered as cracked versions of licensed software, included automated SQL injection tools such as Havij and SQLi Dumper.
“What’s interesting is that the campaign is widespread and is essentially hackers baiting other hackers into using their maliciously modified tools,” said Serper.
“Is there no longer honesty amongst the thieves? The threat actors gain complete access to the hackers’ environments from which to carry out attacks to steal sensitive data or conduct DDoS attacks.”
However, hackers appear to not be the sole targets, with some samples found by Cybereason trojanizing Chrome browser installers, native Windows applications, and other programs unassociated with hacking.
Cybereason researchers said “it is safe to assume that many individuals have been infected by this campaign” but were unable to pinpoint a specific number.