[BreachExchange] Hackers are targeting other hackers by infecting their tools with malware

[Destry Winant]

https://techcrunch.com/2020/03/09/hacking-the-hackers/

A newly discovered malware campaign suggests that hackers have
themselves become the targets of other hackers, who are infecting and
repackaging popular hacking tools with malware.

Cybereason’s  Amit Serper found that the attackers in this years-long
campaign are taking existing hacking tools — some of which are
designed to exfiltrate data from a database through cracks and product
key generators that unlock full versions of trial software — and
injecting a powerful remote-access trojan. When the tools are opened,
the hackers gain full access to the target’s computer.

Serper said the attackers are “baiting” other hackers by posting the
repackaged tools on hacking forums.

But it’s not just a case of hackers targeting other hackers, Serper
told TechCrunch. These maliciously repackaged tools are not only
opening a backdoor to the hacker’s systems, but also any system that
the hacker has already breached.

“If hackers are targeting you or your business and they are using
these trojanized tools it means that whoever is hacking the hackers
will have access to your assets as well,” Serper said.

That includes offensive security researchers working on red team
engagements, he said.

Serper found that these as-yet-unknown attackers are injecting and
repackaging the hacking tools with njRat, a powerful trojan, which
gives the attacker full access to the target’s desktop, including
files, passwords, and even access to their webcam and microphone. The
trojan dates back to at least 2013 when it was used frequently against
targets in the Middle East. njRat often spreads through phishing
emails and infected flash drives, but more recently hackers have
injected the malware on dormant or insecure websites in an effort to
evade detection. In 2017, hackers used this same tactic to host
malware on the website for the so-called Islamic State’s propaganda
unit.

Serper found the attackers were using that same website-hacking
technique to host njRat in this most recent campaign.

According to his findings, the attackers compromised several websites
— unbeknownst to their owners — to host hundreds of njRat malware
samples, as well as the infrastructure used by the attackers to
command and control the malware. Serper said that the process of
injecting the njRat trojan into the hacking tools occurs almost daily
and may be automated, suggesting that the attacks are run largely
without direct human interaction.

It’s unclear for what reason this campaign exists or who is behind it.