Did the attackers hack TV5Monde with the Kjw0rm Remote Access Trojan?

Pierluigi Paganini April 10, 2015

A new hypothesis on the attack that compromised the French TV station TV5Monde: Hackers of the Cyber Caliphate team used the Kjw0rm Remote Access Trojan.

The cyber attacks against the French TV5Monde Channel that resulted in the network take over and the hijacking of social media account of the broadcaster is focusing the attention of the media. The investigators are evaluating all the possible tactics that the pro-ISIS group of the Cyber Caliphate has adopted to breach the network of the TV5Monde.

On Internet is circulating the news that hackers have used passwords accidentally revealed during some TV interviews made in the offices of the broadcaster, but new revelations have been provided by the French media.

French news website Breaking3zero published new details on the investigation, according to the website the hackers exploited a Java vulnerability to serve a malicious VBScript file that allowed them to compromise the infected devices.

Blue Coat researchers speculate that members of the Cyber Caliphate used a variant of  the Kjw0rm worm to infect the systems at TV5Monde, the malicious code is a remote access Trojan (RATs) direct descendent of the most popular Njw0rm (Jenxcus). The Njw0rm worm is a very popular agent among Middle Eastern threat actors, a circumstance that reinforce the thesis on the origin of the attack.

TV5Monde RAT malware

According Breaking3zero, the malware used in the hack of TV5Monde network was created by an individual with the pseudonym of “Najaf.”

Blue Coat researchers have discovered many similarities between the code in the variant used in the attack and the source code of the Kjw0rm.

“The Najaf variant – md5 2962c44ce678d6ca1246f5ead67d115a If we compare the “Najaf” sample with a regular KJ_W0rm sample, we can see that there are clear similarities. Most differences revolve around how hardcoded parameters are placed in the code.” states a blog post published by Blue Coat.

The remote access tool was used by attackers to collect information on the infected system and take the control of the machine. Further information on Najaf revealed that the hacker is in Iraq, one of the territories that is considered a stronghold of ISIS group.

“Security.Najaf seems to match the online handle of a developer apparently located in the Najaf province of Iraq. He is a prolific poster on the dev-point[.]com forums, a forum which has contained a lot of NJ-Rat/Worm-associated material. He is listed as recoder – presumably modifying programmer – in many other malicious scripts. ” continues Blue Coat.

The TV5Monde boss Yves Bigot declared that the cyberattack is “unprecedented in the history of television,” according to Bigot his company was adopting advanced IT security systems.

Stay tuned ….

Pierluigi Paganini

(Security Affairs –  Tv5Monde, hacking)

you might also like

leave a comment