The Middle East becomes the talk of the town when Symantec find active group of hackers spreading malware named njRAT. This malware works like many other RATs (remote access tools) and as per the Symantec, Arabic speakers have developed and supported it. It is believed that many hackers have used njRAT for ordinary cybercrime but several groups have also utilized this malware to compromise government activists in that specific region. This malware is available since June 2013, and until now, three versions have been released of this malware. All these versions can be distributed via infected USB or network drives.
Symantec has analyzed 721 samples of njRAT and found 24,000 infected computers across the globe and 542 infected control & command (C&C) server domain names. Out of these 542 C&C servers, almost 80% servers belonged to countries like Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories, and Libya in regions of the Middle East and North Africa.
Symantec traced IP addresses of C&C server and they were belonged to ADSL lines means the attackers are home users in the Middle East region.
It is said that njRAT works like most RATs as if download and execute additional malware, execute shell command, read or write registry keys, catch screenshots, log keystrokes, webcam snooping.
There is strong online support provided by an online community in the Middle East and North Africa that provides tutorials and instructions for malware’s further development. All these video tutorials are in Arabic language. This level of support offers attackers an easy way to build tool and server components for njRAT.
A Kuwait-based individual is the author of this malware who runs Twitter account named @njq8 to provide updates on new versions of this malware.
Symantec has also found the origin of malware author’s WordPress page that redirects to another BlogSpot page. The statistics of blog’s visitors includes majority of Saudi Arabia.
Symantec also found 487 attackers group that use njRAT for hacktivism, information theft, and Botnet making.
One of these groups is named S.K.Y.P.E/Tagged group, whose C&C server is located in Egypt and Algeria. The agent of the group kept a screensaver on file sharing site named ge.tt, so when victim download the infected .rar file, attackers can easily exploit the system with njRAT. Below is an image of screensaver on ge.tt file sharing site.
Prediction says that this malware was spread among web forum prior to officially release. The S.K.Y.P.E/Tagged group runs two C&C servers called njratmoony.no-ip.biz and njr.no-ip.biz. The number of infected computers increased in October and November of 2012.
The concern showed by Symantec is njRAT is easily accessible; therefore, many attackers will continue to utilize it by changing the malware timely to avoid detection by antivirus software. Electronic Frontier Foundation (EFF) and Citizen Lab found that njRAT is used to target Syrian opposition groups during the Syrian conflicts.
