Security Experts:

Hackers Hack Hacking Tools to Hack Hackers

Researchers Uncover Campaign Where Attackers Are Trojanizing Multiple Hacking Tools Used by Other Attackers

Criminals targeting other criminals is nothing new, but researchers have now uncovered a years-long campaign that trojanizes hacking tools in order to infect other hackers with njRAT. Just as trojanized mobile apps can be downloaded from app stores and installed by trusting users, so trojanized hacking tools are downloaded and installed by trusting hackers.

In November 2016, Proofpoint discovered phishing kits advertised on YouTube that had the author's email (and another person's email) hardcoded within the kit. Any successful phishing conducted with these kits would automatically send the phished data back to the author.

It isn't known who is behind this latest discovery, but there are some inconclusive links to Vietnam. One of the IP addresses contacted by an analyzed version of njRAT is capeturk .com, a one-time gaming site that was re-registered by a Vietnamese individual in November 2018. Furthermore, note the researchers who discovered the campaign, "someone from Vietnam is constantly testing the [malware] samples by submitting them to VirusTotal."

The campaign was unearthed by Cybereason's Nocturnus researchers, and described by VP and principal researcher Amit Serper. It is a widespread and extensive campaign that has been running for years. 

The njRAT infection route in the campaign appears to be via cracked and trojanized hacking tools. Cybereason found a keygen for an SQLi Dumper -- a tool used to perform SQL injections and data dumps. The keygen is credited to RTN, which is a group that writes cracks for various programs -- although the extent, if any, of RTN's involvement in the campaign is unknown. The trojanized versions are then offered on various forums and websites to bait other hackers.

Cybereason found a MediaFire source containing many cracked versions of tools. From there the researchers found a 'sharetools99' Blogspot offering many cracked hacking and trojanized tools, linking to the MediaFire file share. "So far," says Serper, "we have found samples that are either pretending to be various hacking tools or pretending to be installers of the Chrome Internet browser. There are around 700 samples associated with the *.capeturk .com subdomain, and there are more samples added to various threat intelligence resources on a daily basis."

The payload from the trojanized hacking tools is njRAT, a remote access trojan first observed in 2012 and known to be used by threat actors in the Middle East. The RAT gives the attacker complete control over the infected machine -- which also means the attacker can gain access to other systems hacked by the victim.

It may be, however, that other hackers are not the only targets in this campaign. "While all of the samples associated with blog.capeturk .com are targeting various penetration testing and hacking tools, other subdomains are targeting Chrome installers, native Windows applications, and other random programs that have nothing to do with hacking or penetration testing," notes Serper. One example is an njRAT payload pretending to be an Nvidia service -- however, Cybereason cannot yet say who the other targets might be.

Cybereason's analysis of the discovered njRAT version found that it had been compiled just a few hours before discovery, and that it contacted both capeturk. com and anandpen .com -- the latter being a compromised WordPress site belonging to an Indian office supplies manufacturer (who was contacted but had not replied before Serper's analysis was published). 

Using YARA, Cybereason then discovered dozens of different samples of njRAT hosted on the same compromised server actively targeting victims. All these samples had the name of a legitimate Windows process, such as svchost.exe or explorer.exe, and all of them were executed from subdirectories inside %AppData%

The initial loader is a PE Net file written in Visual Basic. It creates a new directory, %USER%\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\ and uses it as a staging directory. It drops files into this staging directory until it eventually drops the main njRAT payload with a random name. 

The extent of the campaign, the quantity of trojanized tools and the rapidity with which new versions of njRAT are created lead Serper to suggest that the attackers have created a malware factory. "It seems," he says, "as if the threat actors behind this campaign are building new iterations of their hacking tools on a daily basis." File compilation has probably been automated. If this is so, it may be an indication of something we can expect more of in the future, as criminals increasingly use the same techniques -- in this case automation -- as legitimate businesses use to improve their own services.

Boston, Mass-based Cybereason was founded in 2012 by Lior Div, Yonatan Amit, and Yossi Naar. It raised $200 million in Series E funding in August 2019, bringing the total funding to approximately $400 million.

Related: Iranian Cyberspies Update Infrastructure Following Recent Report 

Related: Cyber-Espionage Campaigns Target Tibetan Community in India 

Related: New Backdoor Attacks Leverage Political Turmoil in Middle East 

Related: Targeted Attacks Deliver New "Anchor" Malware to High-Profile Companies

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.