"To me, it seems that an individual or a group of people has found a smart way to acquire access on more machines, "said Amit Serper, a Cybereason executive.
"Instead of directly violating the machines, they choose to infect the tools, there they are circulate for free and hack people who use them, "said Serper, referring to an already well-known tactic where hackers steal data that have been hacked by rivals.
Thousands of trojanized hacking tools have been around for years
Serper said the Cybereason Nocturnus investigation team has identified it over 1.000 samples of njRAT, but he believes there are many more that have not yet been discovered.
Trojanized tools have been around for many years, but Serper says this mysterious hacking team creates and releases new versions of the tool almost daily.
According to Cybereason, backdoored tools are freely available on hacking forums and blogs. Some of the trojanized apps are common hacking tools, while others are cracks programs, which allow wannabe hackers to use hacking tools without paying.
The trojanized tools that Cybereason found include site scrapers, exploit scanners, Google dork generators, tools for performing automatic SQL infections, tools for brute-force attacks and tools to verify their validity credentials that have leaked.
In addition, Cybereason found trojanized versions of the browser Chrome.
According to Serper, many of the trojanized apps were linked to two domains. One of them, the capeturk.com, has been registered with one's credentials Vietnamese citizen.
Many times, information about domain owners is misleading, especially when domain is used in malicious campaigns. However, Serper said that many of the trojanized hacking tools downloaded on VirusTotal, came from a Vietnam IP address.
According to Serper, the hacking team appears to be testing its malware detection rate on VirusTotal before releasing it in hacking forums, blogs, etc.
The use of Vietnamese IP in downloads on VirusTotal, in combination with domain data, is a strong indicator that the gang is actually coming from Βιετνάμ.
As we said above, the tactic of hacking tools infection and providing them for free is a well-known tactic. Many hackers have used it in the past.
This is a fairly simple way of gaining access to violated people data, without resorting to other sophisticated hacking methods. Hackers spreading trojanized tools, let other hackers download the tools, wait a few weeks to collect enough data and then steal it using a backdoor, in this case the trojan njRAT.