Trojanized Hacking Tools
An unknown hacking group seems to have been releasing trojanized hacking tools almost daily for some years now. The group trojanizes hacking tools by infecting them with a version of the njRAT malware. Cybereason researchers who discovered the hacking campaign “found dozens of different samples of the same njRAT hosted on the same server. Each sample had a different creation time, but they were all hosted on the same server and actively targeting victims.” This suggests that the creation of the trojanized hacking tools is somehow automated, with the tools being injected with the trojan without direct human interaction. According to Cybereason researchers, the trojanized hacking tools are being shared online on hacking forums and blogs used to share free hacking tools. Hacking tools that Cybereason found trojanized included site scrapers and tools for launching brute-force attacks.
The njRAT Trojan
njRAT is a powerful trojan, which provides users full access to a victim’s desktop, including files and passwords. It can also provide attackers with access to a victim’s webcam and microphone. The njRAT trojan was first discovered in around 2013 when it was being used against Middle Eastern targets. Serper, a Cybereason researcher, said that the njRAT is usually spread through phishing emails and infected flash drives. Furthermore, attackers “are hacking vulnerable WordPress installations to host their malicious njRAT payloads,” said Serper.
Suspected Vietnamese Connection
The main domain connected to these trojanized hacking tools was found to be registered to a Vietnamese individual. Cybereason researchers also noted in their report that many of the tools were being uploaded onto the VirusTotal malware scanning engine from a Vietnamese IP address. These trojanized hacking tools are used in campaigns to target other hackers to gain full access to their computers and steal data held by them. Serper stated: “If hackers are targeting you or your business and they are using these trojanized tools it means that whoever is hacking the hackers will have access to your assets as well.” Hackers computers could also be used by the attackers to conduct DDoS attacks.
