This ongoing cyber-attack has taken the punchline to an old light bulb joke way too seriously
Light bulb jokes are both amusing and often very insightful. You might not see the funny side of this cyber-attack campaign that has taken the punchline to the “how many hackers?” variant way too seriously.
There’s a joke that I’ve heard more than one ethical hacking penetration tester tell: how many hackers does it take to change a light bulb? The answer is none; nobody even knew the bulb had been changed.
One hacker, it could be an individual or a criminal group, is taking that punchline and running riot with it. New research has found that a threat campaign that has been ongoing for several years is infecting the tools used by hackers, criminal and legitimate alike, with malware that gives control over any systems they are successfully used upon.
Amit Serper, a security researcher at Cybereason Nocturnus, has been investigating an ongoing cyber-attack campaign that gives attackers “total access” to the targeted computer. This particular attack campaign is piggybacking on the work of other threat actors and potentially legitimate penetration testers as well.
No honor among cyber-thieves
This isn’t a case of an ethical hacker looking for vulnerabilities in a big bounty hacking platform used by more than half a million hackers, as I reported in December 2019. Rather, this involves threat actors taking a diversion from the usual route of hacking end users, be that those with newly updated Windows 10 systems, Linux users, or social media accounts. This is a case, the researchers say, where for “several years,” threat actors have been embedding malware within a whole bunch of hacking tools used by other hackers and potentially also by penetration testers. These tools include everything from scanners that look for unpatched vulnerabilities that can be exploited, through to SQL injection attack tools and credential validating ones. Oh, and as another worrying aside, Chrome browser installers have also been found to be embedded with the njRat malware in this campaign.
While it should come as no surprise to most people that there is no honor among cyber-thieves, the hackers who are using these trojanized tools in their nefarious activities will, no doubt, be aggrieved. Not least because they are doing the donkey work of target reconnaissance and penetration, getting that foothold into the system, only for this yet unnamed threat actor to then have full control over the compromised system for themselves.
Tracing the attackers
Worryingly, this campaign appears to be very widespread, and the research goes so far as to suggest that the threat actors behind have, in effect, established a malware factory. That factory is, the researchers say, “building new iterations of their hacking tools on a daily basis.” The hacking tools are all being trojanized using njRat, malware that enables an attacker to perform keylogging, screen captures, audio and video recording as well as data exfiltration. njRat is known to be a prevalent threat in the Middle East, although it has not been possible to connect the threat actor behind this campaign with that geopolitical region at this point. Distributed via various compromised WordPress sites, the tools, and their associated “cracks,” are all infected by njRat. One of the compromised sites being used for distribution was found to be a Turkish gaming website, but upon further investigation, this domain was registered to somebody in Vietnam. While there is no direct evidence to suggest that the individual is connected with the malware campaign at this point, there is further evidence that Vietnam could be where the threat actor is based. The research reveals that someone from Vietnam is “constantly testing” the malware samples by submitting them to VirusTotal to see if the trojanization is spotted.
A fork in the malicious malware road
The Cybereason Nocturnus research has noted that there appears to be a fork when it comes to the targets of the trojanizing campaign. One fork, associated with a particular subdomain, is targeting penetration testing and hacking tools. Another, however, is targeting Chrome web browser installers and native Windows applications. While all this appears as clear as mud when it comes to determining the if there is any specific target of the campaign, or who is behind it, one thing is clear enough: with more than 1,000 new malware samples being built on a daily basis, plenty of people will already have been victims of this ongoing campaign.