Vietnamese Hackers Spent Years Targeting Other Hackers

According to a report published by Cybereason, a hacker group has spent years releasing trojanized hacking tools almost daily. These tools were designed to infect other cybercriminals and gain access to their computers. The infected hacking tools contained the njRAT malware.

“It seems that an individual or group chose a rather clever way to gain access to more machines,” Cybereason analysts told ZDNet. “Instead of actively hacking machines themselves, they simply trojanized tools, distributed them for free, and hacked the people who used these solutions.”

While investigating this group’s activities, researchers were able to track over 1,000 samples of njRAT, indicating the large scale of this campaign. According to analysts, the backdoored tools were distributed through hacker forums and blogs dedicated to sharing free hacking utilities.

Some of the infected tools were intended for hacking attacks, while others allowed users to utilize commercial hacking tools without purchasing licenses. Researchers found infected website scrapers, exploit scanners, Google dork generators, tools for automated SQL injections, brute-force attack tools, credential leak checkers, and even trojanized versions of the Chrome browser, all containing njRAT.

The infected tools typically communicated with a couple of domains, one of which was capeturk.com, registered using the credentials of a Vietnamese citizen. While domain ownership information is often fake—especially for domains used in malicious campaigns—Cybereason specialists noted that many of the infected utilities were also uploaded to VirusTotal from a Vietnamese IP address. It appears the hacker group first checked how often their malware was detected on VirusTotal, then posted it on forums, blogs, and other sites. Based on this data, analysts conclude that the group is most likely based in Vietnam.