Vietnamese hackers have been breaking other hackers for years

[Tomcat]

Cybereason has published a report which states that over the years, a hack group has been releasing Trojanized hacking tools almost daily to infect other attackers and gain access to their computers. For example, hacking tools were infected with njRAT malware.

“It looks like an individual or group of people has taken a very cunning path in an effort to gain access to more machines,” Cybereason analysts told the ZDNet building. "Instead of actively hacking into machines on their own, they simply trojanized the tools, distributed them for free and hacked into the people who used those solutions."

Studying the activities of this group, the researchers were able to track more than 1000 samples of njRAT, which indicates the considerable scope of this campaign. According to analysts, backdoor tools are distributed through hacker forums and blogs dedicated to sharing free hacking tools.

Some of the infected solutions are designed for hacker attacks, while others only allow commercial hacking tools to be used without purchasing a license. For example, infected website scrapers, exploit scanners, Google dork generators, tools for performing automatic SQL injection, tools for brute-force attacks and credential leaks validation, and even infected versions of the Chrome browser, also with the njRAT trojan, were found.

The infected tools usually communicated with a couple of domains, one of which was capeturk.com, registered using the credentials of a certain Vietnamese citizen. Although information about domain owners is often fake, especially if the domain is used as part of a malicious campaign, Cybereason experts note that many infected utilities were also uploaded to VirusTotal from a Vietnamese IP address. Apparently, the hack group first checked the detection rate of their malware on VirusTotal, and then posted it on forums, blogs and other places. Based on this data, analysts conclude that the group is most likely based in Vietnam.