ANNOUNCEMENT

Threat Alert:

Hacking the Hackers

YELLOW_THREAT_ALERT_CR_ICONS-53

Threat Overview

cr-icon-threat-type
Threat Type
REMOTE ACCESS TROJAN
Target Industries
Target Industry
Any
cr-icon-attack-goal
Attack Goal
TOTAL CONTROL & PROLIFERATION
cr-icon-impacted-geo
Impacted GEO
Worldwide

What's Happening?

Cybereason Nocturnus is investigating a campaign where attackers are trojanizing multiple hacking tools with njRat, a well known RAT. The campaign ultimately gives attackers total access to the target machine.

The threat actors behind this campaign are posting malware embedded inside various hacking tools and cracks for those tools on several websites. Once the files are downloaded and opened, the attackers are able to completely take over the victim’s machine. In this writeup, the Nocturnus team presents an analysis of the attacker TTPs and indicators of compromise. During this investigation, we uncovered hundreds of trojanized files and information about the threat actors infrastructure.

Read The Full Research

KEY OBSERVATIONS & TTPS


  • A Widespread Campaign: The Nocturnus team has found a widespread hacking campaign that uses the njRat trojan to hijack the victim’s machine, giving the threat actors complete access that can be used for anything from conducting DDoS attacks to stealing sensitive data.
  • Baiting Hackers: The malware is spreading by turning various hacking tools and other installers into trojans. The threat actors are posting the maliciously modified files on various forums and websites to bait other hackers.
  • Using Vulnerable WordPress Websites: The threat actors are hacking vulnerable WordPress installations to host their malicious njRat payloads.
  • Creating a “Malware Factory”: It seems as if the threat actors behind this campaign are building new iterations of their hacking tools on a daily basis.

Remediation Steps

cr-icon-remediate-disable

Be careful to avoid installing tools downloaded from untrusted sources.

Asset 3

Periodically proactively hunt in your environment for potential attacks on sensitive assets.

antivirus-01
Detected by the Cybereason Defense Platform

CYBEREASON CUSTOMERS

We highly recommend every customer enable the following features:

  • If you do not have Cybereason NGAV activated, consider doing so to prevent against threats like these.
  • For Cybereason MDR customers, the Cybereason team will monitor and triage as well as assist in the mitigation of potential infections.

Download This Threat Alert

SUFFERED A BREACH?
TALK TO A SPECIALIST