Hackers have turned on themselves according to a newly discovered malware campaign that suggests that they have become the targets of other hackers who have begun repackaging popular hacking tools with malware.
The multi-year campaign was first discovered by the VP of security strategy and principal researcher at Cybereason, Amit Serper who found that hackers have begun modifying existing hacking tools by injecting a powerful remote-access trojan into them. When these modified tools are opened, they give hackers full access to the target’s computer.
According to Serper, the attackers have made it quite easy to spread their repackaged tools by posting them on popular hacking forums.
However, these repackaged tools not only give hackers access to a target’s computer but they also open a backdoor to their systems which allows the attackers to utilize any other computer or network that they have already breached.
During his investigation of the campaign, Serper found that the hackers behind these attacks are injecting and repackaging hacking tools with the njRat trojan. This trojan gives the attacker full access to a target’s desktop as well as to their files, passwords webcams and microphones.
njRat has been around since 2013 and it has been used frequently against targets in the Middle East. It is often spread through phishing emails and infected flash drives but recently hackers have begun to inject the malware on dormant or insecure websites to avoid being detected.
Hackers are once again using this technique to spread njRat and according to Serper, they have compromised several websites to host hundreds of njRat malware samples. In a blog post, he provided further details on this latest campaign and his investigation into the matter, saying:
“This investigation surfaced almost 1000 njRat samples compiled and built on almost a daily basis. It is safe to assume that many individuals have been infected by this campaign (although at the moment we are unable to know exactly how many). This campaign ultimately gives threat actors complete access to the target machine, so they can use it for anything from conducting DDoS attacks to stealing sensitive data off the machine. It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs. Others appear to be the infrastructure owned by the threat group, judging by multiple hostnames, DNS data, etc.”
As this campaign has already operated for years, it will likely continue to do so while giving hackers a taste of their own medicine.