Categories: Breaking NewsHackingIntelligenceMalware

Did the attackers hack TV5Monde with the Kjw0rm Remote Access Trojan?

A new hypothesis on the attack that compromised the French TV station TV5Monde: Hackers of the Cyber Caliphate team used the Kjw0rm Remote Access Trojan.

The cyber attacks against the French TV5Monde Channel that resulted in the network take over and the hijacking of social media account of the broadcaster is focusing the attention of the media. The investigators are evaluating all the possible tactics that the pro-ISIS group of the Cyber Caliphate has adopted to breach the network of the TV5Monde.

On Internet is circulating the news that hackers have used passwords accidentally revealed during some TV interviews made in the offices of the broadcaster, but new revelations have been provided by the French media.

French news website Breaking3zero published new details on the investigation, according to the website the hackers exploited a Java vulnerability to serve a malicious VBScript file that allowed them to compromise the infected devices.

Blue Coat researchers speculate that members of the Cyber Caliphate used a variant of the Kjw0rm worm to infect the systems at TV5Monde, the malicious code is a remote access Trojan (RATs) direct descendent of the most popular Njw0rm (Jenxcus). The Njw0rm worm is a very popular agent among Middle Eastern threat actors, a circumstance that reinforce the thesis on the origin of the attack.

According Breaking3zero, the malware used in the hack of TV5Monde network was created by an individual with the pseudonym of “Najaf.”

Blue Coat researchers have discovered many similarities between the code in the variant used in the attack and the source code of the Kjw0rm.

“The Najaf variant – md5 2962c44ce678d6ca1246f5ead67d115a If we compare the “Najaf” sample with a regular KJ_W0rm sample, we can see that there are clear similarities. Most differences revolve around how hardcoded parameters are placed in the code.” states a blog post published by Blue Coat.

The remote access tool was used by attackers to collect information on the infected system and take the control of the machine. Further information on Najaf revealed that the hacker is in Iraq, one of the territories that is considered a stronghold of ISIS group.

“Security.Najaf seems to match the online handle of a developer apparently located in the Najaf province of Iraq. He is a prolific poster on the dev-point[.]com forums, a forum which has contained a lot of NJ-Rat/Worm-associated material. He is listed as recoder – presumably modifying programmer – in many other malicious scripts. ” continues Blue Coat.

The TV5Monde boss Yves Bigot declared that the cyberattack is “unprecedented in the history of television,” according to Bigot his company was adopting advanced IT security systems.

Stay tuned ….

Pierluigi Paganini

(Security Affairs – Tv5Monde, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.