Hackers infecting other hackers with remote-access trojan

(Image credit: Shutterstock)

Hackers have turned on themselves according to a newly discovered malware campaign.

The multi-year campaign was uncovered by Cybereason security researcher Amit Serper, who found that hackers have begun modifying existing hacking tools by injecting a powerful remote-access trojan into them. When these modified tools are opened, they give hackers full access to the target's computer.

According to Serper, the attackers have made it quite easy to spread their repackaged tools by posting them on popular hacking forums.

Bug bounties have made these hackers millionaires
How a piece of Brazilian malware became a global cybercrime export
Staying one step ahead of the hackers

However, these repackaged tools not only give hackers access to a target's computer but they also open a backdoor to their systems which allows the attackers to utilize any other computer or network that they have already breached.

njRat trojan

During his investigation of the campaign, Serper found that the hackers behind these attacks are injecting and repackaging hacking tools with the njRat trojan. This trojan gives the attacker full access to a target's desktop as well as to their files, passwords webcams and microphones.

njRat has been around since 2013 and it has been used frequently against targets in the Middle East. It is often spread through phishing emails and infected flash drives but recently hackers have begun to inject the malware on dormant or insecure websites to avoid being detected.

Hackers are once again using this technique to spread njRat and according to Serper, they have compromised several websites to host hundreds of njRat malware samples. In a blog post, he provided further details on this latest campaign and his investigation into the matter, saying:

“This investigation surfaced almost 1000 njRat samples compiled and built on almost a daily basis. It is safe to assume that many individuals have been infected by this campaign (although at the moment we are unable to know exactly how many). This campaign ultimately gives threat actors complete access to the target machine, so they can use it for anything from conducting DDoS attacks to stealing sensitive data off the machine. It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs. Others appear to be the infrastructure owned by the threat group, judging by multiple hostnames, DNS data, etc.”

As this campaign has already operated for years, it will likely continue to do so while giving hackers a taste of their own medicine.

We've also highlighted the best antivirus software

Via TechCrunch

TOPICS

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Latest in Security