It seems as if some hackers have been given a taste of their own medicine in a campaign where threat actors baited hackers with infected hacking tools.
The hacking tools were infected with njRat, a RAT program that enables the person behind it to take control of the infected device, according to an investigation from Cybereason.
“njRat is popular in the Middle East and gives its operators the ability to hijack the victim’s machine for keylogging, taking screenshots, file manipulation and exfiltration, webcam and microphone recording,” wrote Amit Serper, the security researcher behind the report.
The tools infected with the remote access trojan were then posted on several forums and websites.
Serper also uncovered what he referred to as a “malware factory” where the people behind the hacker-hacking tools released new iterations on a daily basis.
Serper said that it seems as if the campaign has “been going on for several years” and that he and his team had found hundreds of samples.
When looking at samples of the strain it seemed as if the njRat was contacting two IP addresses: a hacked Indian office supplier manufacturer’s website and capeturk.com.
Up until 2018, capeturk.com had been operating as a Turkish gaming website dedicated to Minecraft. However, in November 2018 the domin expired and was registered by a Vietnamese individual.
While Serper states that it is unclear if this individual is behind the campaign, he did note that someone he suspected to be tied to the Vietnamese domain ownership is often testing samples of the trojan by submitting them to VirusTotal.
Copyright © 2020 RegTech Analyst