I am not used to report malware analysis made by “big security companies” since easy to find in planty of media. Linking such a reports to my blog is useless because many of my reders would probably read those feeds before my blog. However today I ‘d like to share a pretty nice article written by Symantec titled: Simple njRAT Fuels Nascent Middle East Cybercrime Scene. The described Malware (“njRAT”) is an old and simple malware already well described in reports: 1009 and 1010 by General Dynamics. The malware could be taken back to hacker team called “STTEAM” (2013), one of the last born Middle East hacking teams. For the time being, the last malware’ built and its own CandC could be find on the “official” njRat website (high risk of infection on that site). Underground sources assert one of the main .net developers behind njRat is called “Zehir” (firstname.lastname@example.org) already known for a revisited version of the ancient “asp shell”.
Image taken from here.
Beside technical notes — if you are interested on “bits and bytes” regarding this specific topic please refer to reports 1009 and 1010 by General Dynamics — what is interesting on this malware is its geolocalization. It has been developed in “middle east” and it is spreading on most of the Middle East and North Africa regions, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya as the images shows up.
Quoting the Symantec report:
“The main reason for njRAT’s popularity in the Middle East and North Africa is a large online community providing support in the form of instructions and tutorials for the malware’s development. The malware’s author also appears to hail from the region. njRAT appears to have been written by a Kuwait-based individual who uses the Twitter handle @njq8. The account has been used to provide updates on when new versions of the malware are available to download.”
I am deeply fascinated on the fast paradigm change of the malware distribution. Few years ago the malware writers would never let public his/her email address and/or his/her twitter account even if fake ones, nowadays malware writers let their signature on what they deliver without caring too much about identity protection. Thanks to their uncovered traces is possible to profile them such as: where they are from, which programming language they prefer, what malware they have already written, what is the favorite target, what websites they reads and so forth and so on. On my personal point of view this behavior is due to the last hiring fashion ( namely: hire a hacker!) which makes hacker heros. Lets think about it and how fast the malware world is growing up.