An unidentified group of hackers has been found sharing hacking tools on various hacker forums and websites that are trojanised with njRat, giving them total access to target machines.
The use of njRat to weaponise hacking tools to target hackers themselves was recently discovered by security firm Cybereason who noted that the exploit enabled the hacker group to take over targeted machines and carry out anything from conducting DDoS attacks to stealing sensitive data.
njRAT is a well-known Remote Access Trojan which was first employed seven years ago by a cyber crime group known as Sparclyheason that targeted organisations located in the Middle East.
The RAT is capable of stealing passwords from browsers, logging keystrokes, manipulating the system registry, manipulating files, recording through microphones, and collecting system information such as IP addresses, usernames, operating systems, installation dates, and country.
Hacking tools trojanised with njRAT to gain complete control over targeted machines
“This investigation surfaced almost 1000 njRat samples compiled and built on almost a daily basis. It is safe to assume that many individuals have been infected by this campaign (although at the moment we are unable to know exactly how many),” Cybereason said.
“This campaign ultimately gives threat actors complete access to the target machine, so they can use it for anything from conducting DDoS attacks to stealing sensitive data off the machine.
“It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs. Others appear to be the infrastructure owned by the threat group, judging by multiple hostnames, DNS data, etc.,” the firm added.
While analysing the malware campaign, researchers at the firm found that the attackers exploited vulnerable WordPress installations to serve malware from their internal WordPress directories. The malware samples observed by the firm masqueraded legitimate Windows processes such as svchost.exe or explorer.exe and were originally written in Visual Basic.
Cybereason also found that the malware campaign was being orchestrated using a large number of domains, such as capeturk.com, a Turkish gaming website dedicated to Minecraft and Anandpen.com, a WordPress-powered website of a pen manufacturing company from India that was subsequently hacked.
Russian hackers also hacked Iranian one to steal malicious tools
This isn’t the first time that security researchers have identified a hacking campaign initiated by a group of hackers to target other hacker groups. In October last year, the National Cyber Security Centre said that a Russian hacker group known as Turla hacked an Iranian hacker group known as OilRig and then used the latter’s tools and infrastructure to carry out cyber attacks on dozens of other countries.
A joint investigation conducted by the NCSC and the NSA revealed that Turla stole ‘Neuron’ and ‘Nautilus’malware from OilRig and used these tools in conjunction with the Snake rootkit to target government, military, technology, energy, and commercial organisations both in the UK and the United States.
NCSC also found that not only did Turla use OilRig’s tools to target organisations, they also “sought to further their access into victims of interest by scanning for the presence of Iranian backdoors and attempting to use them to gain a foothold”.