Cybereason Company published a report, which states that for many years a hacker group almost daily released trojanized hacker tools designed to infect other cybercriminals and gain access to their computers. So, hacker tools were infected with the njRAT malware.
“It seems that some individual or group of people chose a very tricky path, trying to gain access to more cars,” Cybereason analysts told the building Zdnet. “Instead of actively hacking machines on their own, they simply trojanized the tools, distributed them for free and hacked the people who used these solutions.”
Studying the activities of this group, the researchers were able to track more than 1000 njRAT samples, which indicates the considerable scope of this campaign. According to analysts, tools with backdoors are distributed through hacker forums and blogs dedicated to the exchange of free tools for hacking.
Some of the infected solutions are designed for hacker attacks, while others only allow you to use commercial hacker tools without buying a license. So, we found infected website scrapers, exploit scanners, Google dork generators, tools for performing automatic SQL injections, tools for brute force attacks and credential leakage verification, and even infected versions of the Chrome browser, also with the njRAT trojan.
Infected tools usually communicate with a pair of domains, one of which was capeturk (.) Com, registered using credentials of a Vietnamese citizen. Although information about domain owners is often false, especially if the domain is used as part of a malicious campaign, Cybereason experts note that many infected utilities were also downloaded to VirusTotal from a Vietnamese IP address. Apparently, at first the hack group checked the frequency of detection of its malvari on VirusTotal, and then posted it on forums, blogs and other places. Based on this data, analysts conclude that, most likely, the group is really based in Vietnam.