njRAT Trojanizes Hacking Tools in Widespread Campaign to Conduct DDoS Attacks and Steal Sensitive Data

  • Researchers claim that new iterations of the malware are being published on an almost daily basis.
  • To date, the security researchers from Cybereason Nocturnus have tracked down more than 1000 njRAT samples that go back for years.

Researchers are investigating a widespread campaign wherein attackers are trojanizing multiple hacking tools with njRAT. The ultimate goal of the campaign is to gain access to victims’ machines that can be used later for anything from conducting DDoS attacks to stealing sensitive data. The origin of this campaign is not known yet, however, the campaign has been reportedly going on for several years targeting hackers with infected tools.

Tracking down the campaign
To date, the security researchers of Cybereason Nocturnus have tracked down more than 1000 njRAT samples that go back for years. Researchers claim that new iterations of the malware are being published on an almost daily basis.

The trojanized hacking tools include the likes of site scrapers, exploit scanners, Google dork generators, tools for performing automatic SQL injections, tools for launching brute force attacks, and tools for verifying the validity of leaked credentials.

Modus operandi of the campaign
The campaign is probably carried out by a group of hackers residing in Vietnam. During the analysis, the Cybereason team uncovered many of the trojanized apps were associated with blog[.]capturk[.]com - registered by a Vietnamese individual.

“Until June 2018, it seems capeturk.com was a Turkish gaming website dedicated to the well-known game Minecraft. On November 25, 2018, the capeturk.com domain expired and was registered by a Vietnamese individual. The domain started to be associated with malware around the time of the re-registration, however, it is unclear whether this Vietnamese individual has any ties to the malware campaign,” said researchers in a blog post.

In order to host malicious njRAT, threat actors make use of vulnerable WordPress installations. They maliciously modify files on various forums and websites to bait other hackers.

Conclusion
It is clear that threat actors behind the campaign are using multiple servers, some of which appear to be hacked WordPress blogs. At the moment, it is unclear whether the campaign is also being used to target users.