[old] Mar 2020 Hacking community targeted by cyber criminals in trojan campaign

Karl gmkarl at gmail.com
Sun May 16 12:58:01 PDT 2021


10 Mar 2020 14:30

The hacking community has been warned to be alert to cyber criminals
turning popular hacking tools into a means to spread remote access
trojans (Rats), in a newly uncovered campaign discovered by threat
researchers at Cybereason’s Nocturnus lab.

The campaign exploits the well-known and widely used njRat trojan –
which is also known as Bladabindi – which was developed by Middle
Eastern threat groups between seven and eight years ago. If opened,
NjRat takes over the victim’s machine and can be used to extract
system information, execute and manipulate files, open remote shells
to let attackers use the command line, record from cameras or
microphones, log keystrokes, and steal stored passwords, among other

The new campaign spreads njRat by injecting it into downloadable
hacking tools and other installers, said Cybereason. These tools are
being posted on various underground forums and websites to bait other
hackers into falling “victim” to njRat.

The firm believes the campaign has been running for a considerable
length of time and appears to be the product of a so-called “malware
factory” which is churning out new iterations of the various
compromised tools on an almost daily basis, possibly using some degree
of automation.

“This investigation surfaced almost 1,000 njRat samples compiled and
built on almost a daily basis. It is safe to assume that many
individuals have been infected by this campaign although at the moment
we are unable to know exactly how many,” said Amit Serper,
Cybereason’s vice-president of security, in a disclosure blog.

“This campaign ultimately gives threat actors complete access to the
target machine, so they can use it for anything from conducting DDoS
attacks to stealing sensitive data off the machine.”

The campaign poses a threat beyond the confines of the hacker
community because if a victimised hacker already has access to your
system, the hacker who hacked them will also have access to your

Read more about cyber criminals
The latest email campaigns identified by Proofpoint are spreading
conspiracy theories about the coronavirus outbreak.
The popularity and ubiquity of web-based apps such as Office 365 and
Salesforce is a temptation too good to miss for cyber criminals.
Cyber criminals are spending longer hiding in target networks before
launching their attacks, as more organised groups turn to business
disruption to achieve their objectives.
In the campaign, njRat masquerades as a legitimate Windows process and
was found to be connecting to two IP addresses, one of a compromised
Wordpress site belonging to a legitimate Indian pen manufacturer, and
another to Minecraft site located in Turkey that since late 2018 has
been re-registered by an individual in Vietnam, who may be associated
with the campaign.

“It is clear the threat actors behind this campaign are using multiple
servers, some of which appear to be hacked WordPress blogs,” said
Serper. “Others appear to be the infrastructure owned by the threat

Cybereason found that all the njRat samples associated with the
Turkish-Vietnamese site were targeting penetration testing and hacking
tools, although the campaign is by no means targeting just the hacking
community – it also seems to be targeting Chrome installers, native
Windows apps, and some other programs that have nothing to do with
hacking or penetration testing.

“At the moment, we are unable to ascertain the other victims this
malware campaign is targeting, other than those targeted by the
trojanised hacking tool,” said Serper, who is continuing to monitor
the campaign.

Cybereason has published a lengthy list of indicators of compromise
(IoCs), which can be downloaded from its website.

More information about the cypherpunks mailing list