For the past years, a mysterious group has been churning out trojanized hacking tools on an almost daily basis, tools that are meant to infect fellow hackers and gain access to their computers.
According to a report published today by cyber-security firm Cybereason, the trojanized tools were infected with a version of the njRAT malware that gave the mysterious group full access to other hackers’ computers.
“To me, it looks like someone, or a group of people, are making a pretty clever shortcut into getting access to more machines,” Amit Serper, VP of Security Strategy at Cybereason, told ZDNet.
“Instead of actively hacking machines, just trojanize the tools, spread them for free, and hack the people who use the tools,” Serper said, referring to an old tactic on the cybercrime scene where hackers steal their rivals’ hacked data.
Thousands of trojanized hacking tools, going back years
Serper said the Cybereason Nocturnus investigations team tracked down more than 1,000 njRAT samples while investigating this group’s activities, but that the campaign looked much larger and broader than what they found.
The trojanized samples go back for years, and Serper says new iterations are being published on an almost daily basis.
Per Cybereason, the backdoored tools are being shared online on hacking forums and blogs dedicated to sharing free hacking tools. Some of the trojanized apps are downright hacking tools, while others are cracks programs that allow wannabe hackers to use commercial hacking tools without paying a license.
Hacking tools that Cybereason found trojanized include the likes of site scrapers, exploit scanners, Google dork generators, tools for performing automatic SQL injections, tools for launching brute-force attacks, and tools for verifying the validity of leaked credentials.
In addition, Cybereason also says it found trojanized versions of the Chrome browser, also laced with the same njRAT remote access trojan.
Suspected Vietnamese mastermind
According to Serper, many of the trojanized apps the Cybereason team analyzed were configured to phone back to one of two domains. Of the two, the most used was the capeturk.com domain, which Serper said was registered with the credentials of a Vietnamese individual.
While details about domain owners are often faked, especially when a domain is used in a malware campaign, Serper also noted that many of the trojanized hacking tools were uploaded on the VirusTotal malware scanning engine from a Vietnamese IP address.
According to Serper, the hacker group appears to have been testing the detection rate for their malware samples on VirusTotal before deploying them on hacking forums, their blogs, and elsewhere.
However, the use of a Vietnamese IP for VirusTotal uploads, in connection with the domain details, is a strong indicator that the gang is very likely based in the country, Cybereason said.
An old tactic
All in all, the group’s tactics aren’t new, per-se. Other hackers have thought to take shortcuts in their careers by putting backdoors in hacking tools that they later published for free.
For example, a 2016 Proofpoint report also found a large collection of backdoored phishing kits being advertised via YouTube videos, phishing kits that sent copies of the phished data back to their original authors.
The tactic is quite common and is a simple way of gaining access to hacked data without doing any extensive hacking. The idea is to let other hackers download the hacking tool, spend weeks collecting data, and then stealing the data using a backdoor — in this case, the njRAT remote access trojan.