Middle Eastern hackers use remote access Trojan to infect 24,000 machines worldwide

Security firm Symantec has uncovered 487 groups actively using njRAT malware, claiming the malicious users have managed to infect 24,000 machines worldwide.

Symantec threat lab researchers reported the campaigns in a blog post, confirming the hackers are using the njRAT malware for a variety of purposes.

"Symantec has identified 487 groups of attackers mounting attacks using njRAT. These attacks appear to have different motivations, which can be broadly classed as hacktivism, information theft and botnet building," the researchers said.

"The malware can be used to control networks of computers, known as botnets. While most attackers using njRAT appear to be engaged in ordinary cyber-criminal activity, there is also evidence that several groups have used the malware to target governments in the region."

Symantec said the attacks mainly originate from the Middle East, though they have managed to infect thousands of systems worldwide.

"Symantec analysed 721 samples of njRAT and uncovered a fairly large number of infections, with 542 control and command (C&C) server domain names found and 24,000 infected computers worldwide," read the post.

"Nearly 80 percent of the C&C servers were located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya. "

The njRAT malware is a simple attack tool that originally appeared for download on several black market forums in June 2013.

The malware grants hackers basic powers, such as the ability to download and execute additional malware on infected systems, execute shell commands, read and write registry keys, capture screenshots, log keystrokes and hijack control of webcams.

The Symantec researchers said they expect hackers' interest in njRAT to end fairly quickly, as the new hacker groups realise its limitations and move on to more advanced malware.

"The more advanced threat actors, such as hacker groups, may continue to use njRAT for targeted attacks in the short term," read the post.

"For example, a report by the Electronic Frontier Foundation (EFF) and Citizen Lab found that njRAT is one of a number of tools being used to target Syrian opposition groups during the Syrian conflict. However, Symantec anticipates that such groups will eventually depart from using publicly available tools like njRAT and begin to develop their own tools and more advanced RATs for cyber attacks."

Symantec's discovery follows wider reports within the security community that hackers are tweaking their attacks to use RATs. Advanced threat specialist FireEye uncovered evidence in February that hackers are dropping standard malware such as Zeus, in favour of more advanced but harder-to-use RATs, such as Xtreme RAT.

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Symantec
• Hacking
• cyber-crime
• malware