Hacker Wars: njRat Hides in “Free” Hacking Tools Published on Underground Forums

Delaware, USA – March 11, 2020 – Undefined threat actor spreads trojanized hacking tools for free to hack persons who use them. Cybereason Nocturnus team discovered about 1,000 njRAT samples hidden in various tools and cracks for those tools: exploit scanners, site scrapers, Google dork generators, tools for SQL injections, conducting brute-force attacks, and verifying the validity of leaked credentials. “This campaign ultimately gives threat actors complete access to the target machine, so they can use it for anything from conducting DDoS attacks to stealing sensitive data off the machine,” Cybereason researchers said. “It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs. Others appear to be the infrastructure owned by the threat group, judging by multiple hostnames, DNS data, etc.”

Researchers suggest that one of the Vietnamese groups is behind the campaign. Many of the trojanized tools were configured to connect to the domain registered with the credentials of a Vietnamese individual. Also, a Vietnamese IP address was used to upload the backdoored apps on the VirusTotal malware scanning engine. It seems someone from Vietnam is constantly testing the detection rate for their malware samples before spreading them on underground forums. The campaign lasts for years, and new samples are created daily. On the “other side”, the big fish eats small one, the groups “borrow” TTPs to complicate attribution, or even steal the rival’s infrastructure for their own malicious campaigns.
njRat remote access trojan was created based on the leaked Njw0rm source code, and it has a wide range of backdoor capabilities. Content available on Threat Detection Marketplace to detect njRat malware:
NjRAT C&C POST Request – https://tdm.socprime.com/tdm/info/psZji1bNylin/
NjRAT RAT/Backdoor (Proxy) – https://tdm.socprime.com/tdm/info/InMMGPzClfBy/
HWorm and NjRAT Rat/Backdoor (Sysmon) – https://tdm.socprime.com/tdm/info/Xm5GOenPgfoV/