A recently discovered malware campaign suggests that hackers have become targets for other hackers, who are infecting and repackaging popular hacking tools with malware.
Cybereason of Amit Serper found that the attackers in this year-long campaign are taking existing hacking tools – some of which are designed to exfiltrate data from a database through cracks and product code generators that unlock full versions of the trial software – and injecting a powerful remote access trojan. When the tools are opened, the hackers get full access to the target’s computer.
Serper said the attackers are “triggering” other hackers by posting repackaged tools in the hacking forums.
But it’s not just a case of hackers targeting other hackers, Serper told TechCrunch. These badly repackaged tools not only open a backdoor to the hacker’s systems, but also to any system that the hacker has already hacked.
“If hackers target you or your company and use these trojan tools, it means that anyone who hacks hackers will also have access to your resources,” said Serper.
This includes offensive security researchers working on red team engagements, he said.
Serper has discovered that these still unknown attackers are injecting and repackaging hacking tools with njRat, a powerful trojan, which gives the attacker full access to the target’s desktop, including files, passwords and even access to their webcam and microphone. . The trojan dates back to at least 2013 when it was used frequently against targets in the Middle East. njRat often spreads through phishing emails and infected flash drives, but more recently, hackers have injected malware onto inactive or unsafe websites in an attempt to evade detection. In 2017, hackers used the same tactic to host malware on the website for the so-called Islamic State propaganda unit.
Serper found that the attackers were using the same website hacking technique to host njRat in this most recent campaign.
According to his findings, the attackers compromised several websites – unbeknownst to their owners – to host hundreds of njRat malware samples, as well as the infrastructure used by the attackers to command and control malware. Serper said that the process of injecting the njRat trojan into hacking tools takes place almost daily and can be automated, suggesting that attacks are largely performed without direct human interaction.
It is not clear why this campaign exists or who is behind it.