Threat Management, Malware

Years-long malware operation hides njRAT in cracked hacking tools


Malicious actors have been secretly embedding the njRAT remote access trojan in free hacking tools as well as cracks of those tools, in a bid to compromise anyone who downloads this software from various websites and forums.

Essentially, this adversary is trying to turn other hackers into victims, taking over their machines for reasons that could range from conducting distributed denial of service attacks to stealing data, according to a blog post today by Cybereason, featuring research from Amit Serper, VP of security strategy and principal researcher with the company's Nocturnus security research team. Indeed, njRat offers up many nefarious possibilities, with capabilities that include keylogging, taking screenshots, recording via webcams and microphones, and file manipulation and exfiltration.

The campaign, identified by the Cybereason Nocturnus team, has apparently been taking place for years and has generated nearly 1,000 malware samples in that time, with new variations of njRAT being added on a daily basis.

"It is safe to assume that many individuals have been infected by this campaign (although at the moment we are unable to know exactly how many)," the blog post states. "It is clear the threat actors behind this campaign are using multiple servers, some of which appear to be hacked WordPress blogs. Others appear to be the infrastructure owned by the threat group, judging by multiple hostnames, DNS data, etc."

Among the downloadable tools used as bait to lure in hackers is SQLi Dumper, which is leveraged to execute SQL injections and data dumps. Cybereason traced a keygen for a trojanized SQLi Dumper file to a MediaFire file share website belonging to Reversing the Noobs (RTN), a community for reverse engineering and coding that writes cracks to certain programs. Cybereason says it also discovered a link to the MediaFire website on a Blogspot-hosted blog that offering some of the trojanized hacking tools.

However, not every njRAT sample is installed via a downloaded cracked hacking or pentesting tools. In some cases, the campaign actors instead are leveraging the promise of Chrome installers, native Windows applications and other programs, Cybereason further reports. This suggests that the malware actors have multiple intended target groups, the blog post continues.

According to Cybereason, samples of the malware have been calling out to a number of domains, including, a legitimate WordPress website, operated by an Indian pen manufacturing company, that was hacked to be an njRAT repository. Another domain is, which at one time was a Turkish Minecraft gaming website.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.