Pierluigi Paganini March 10, 2020

Who is hacking the hackers? Experts from Cybereason a mysterious hackers group is targeting other hackers by spreading tainted hacking tools.

Experts from security firm Cybereason warn of a mysterious group of hackers that are distributing trojanized hacking tools on an almost daily basis for the past years.

These hacking tools are used by fellow hackers that appear to be the targets of the group. The tools are being shared online on popular hacking forums and blogs, they are infected with a version of the njRAT RAT that is used by attackers to establish a backdoor on the victims’ systems and take full control of them.

“The threat actors behind this campaign are posting malware embedded inside various hacking tools and cracks for those tools on several websites. Once the files are downloaded and opened, the attackers are able to completely take over the victim’s machine.” reads the report published Cybereason.

The researchers discovered more than 1,000 samples while investigating the group’s operations, but experts believe the campaign could be broader.

Hacking tools that were infected by the mysterious group of hackers include site scrapers, exploit scanners, hacking tools (brute-force attack tools, SQLInjection automated hacking tools, tools for launching brute-force attacks, credential stuffing attack tools, and also versions of the Chrome browser.

Evidence collected by Cybereason suggests the threat actors could have a Vietnamese origin.

“On November 25 2018, the capeturk.com domain expired and was registered by a Vietnamese individual. The domain started to be associated with malware around the time of the re-registration, however, it is unclear whether this Vietnamese individual has any ties to the malware campaign.” continues the report.”That being said, it seems someone from Vietnam is constantly testing the samples by submitting them to VirusTotal.” 

Many tainted applications analyzed by Cybereason contacted two domains, one of them, “capeturk.com domain” was registered by a Vietnamese individual.

Experts also noticed that many the trojanized hacking tools were uploaded on the VirusTotal malware scanning service from a Vietnamese IP address.

“This investigation surfaced almost 1000 njRat samples compiled and built on almost a daily basis. It is safe to assume that many individuals have been infected by this campaign (although at the moment we are unable to know exactly how many). This campaign ultimately gives threat actors complete access to the target machine, so they can use it for anything from conducting DDoS attacks to stealing sensitive data off the machine.” concludes the report.

“It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs. Others appear to be the infrastructure owned by the threat group, judging by multiple hostnames, DNS data, etc.

At the moment, we are unable to ascertain the other victims this malware campaign is targeting, other than those targeted by the trojanized hacking tools connecting to the “7777 server”. ”

The report published by Cybereason includes indicators of compromise (IOCs) and the MITRE ATT&CK matrix.

Pierluigi Paganini

(SecurityAffairs – hacking tools, RAT)

[adrotate banner=”5″]

[adrotate banner=”13″]