Malicious actors have been secretly embedding the njRAT remote access trojan in free hacking tools as well as cracks of those tools, in a bid to compromise anyone who downloads this software from various websites and forums.
Essentially, this adversary is trying to turn other hackers into victims, taking over their machines for reasons that could range from conducting distributed denial of service attacks to stealing data, according to a blog post today by Cybereason, featuring research from Amit Serper, VP of security strategy and principal researcher with the company’s Nocturnus security research team. Indeed, njRat offers up many nefarious possibilities, with capabilities that include keylogging, taking screenshots, recording via webcams and microphones, and file manipulation and exfiltration.
The campaign, identified by the Cybereason Nocturnus team, has apparently been taking place for years and has generated nearly 1,000 malware samples in that time, with new variations of njRAT being added on a daily basis.
“It is safe to assume that many individuals have been infected by this campaign (although at the moment we are unable to know exactly how many),” the blog post states. “It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs. Others appear to be the infrastructure owned by the threat group, judging by multiple hostnames, DNS data, etc.”
Among the downloadable tools used as bait to lure in hackers is SQLi Dumper, which is leveraged to execute SQL injections and data dumps. Cybereason traced a keygen for a trojanized SQLi Dumper file to a MediaFire file share website belonging to Reversing the Noobs (RTN), a community for reverse engineering and coding that writes cracks to certain programs. Cybereason says it also discovered a link to the MediaFire website on a Blogspot-hosted blog that offering some of the trojanized hacking tools.
However, not every njRAT sample is installed via a downloaded cracked hacking or pentesting tools. In some cases, the campaign actors instead are leveraging the promise of Chrome installers, native Windows applications and other programs, Cybereason further reports. This suggests that the malware actors have multiple intended target groups, the blog post continues.
According to Cybereason, samples of the malware have been calling out to a number of domains, including anandpen.com, a legitimate WordPress website, operated by an Indian pen manufacturing company, that was hacked to be an njRAT repository. Another domain is capeturk.com, which at one time was a Turkish Minecraft gaming website.