Cybereason‘s Nocturnus Research Team is investigating a campaign where cybercriminals are trojanising multiple hacking tools with njRat, a well known RAT. The campaign ultimately gives attackers total access to the target machine. The threat actors behind this campaign are posting malware, embedded inside various hacking tools, and cracks for those tools on several websites. Once the files are downloaded and opened, the attackers are able to completely take over the victim’s machine.
In this new piece of research, Cybereason presents its analysis of the TTPs of the attackers, and the indicators of compromise. In the investigation of this campaign, Cybereason has found hundreds of trojanised files and a lot of information about the threat actors infrastructure.
- Widespread Campaign: Cybereason has found a widespread hacking campaign that uses the njRat Trojan to hijack the victim’s machine, giving the threat actors complete access that can be used for anything from conducting DDoS attacks to stealing sensitive data.
- Baiting Hackers: The malware is spreading by turning various hacking tools and other installers into Trojans. The threat actors are posting the maliciously modified files on various forums and websites to bait other hackers.
- Using Vulnerable WordPress Websites: The threat actors are hacking vulnerable WordPress installations to host their malicious njRat payloads.
- A “Malware Factory”: It seems as if the threat actors behind this campaign are building new iterations of their hacking tools on a daily basis.