Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : Symantec has observed the growth of indigenous groups of attackers in the Middle East, centered around a simple piece of malware known as njRAT. While njRAT is similar in capability to many other remote access tools RATs , what is interesting about this malware is that it is developed and supported by Arabic speakers, resulting in its popularity among attackers in the region. The malware can be used to control networks of computers, known as botnets. While most attackers using njRAT appear to be engaged in ordinary cybercriminal activity, there is also evidence that several groups have used the malware to target governments in the region. Symantec analyzed 721 samples of njRAT and uncovered a fairly large number of infections, with 542 control-and-command C C server domain names found and 24,000 infected computers worldwide. Nearly 80 percent of the C C servers were located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya. figure1_18.png Figure 1. Majority of njRAT C C servers are found in the Middle East and North Africa The majority of the C C server IP addresses were traced to ADSL lines, which indicates that most attackers using the malware could be home users in the Middle Eastern region. njRAT is not new on the cybercrime scene. It has been publicly available since June 2013 and three versions have already been released, all of which can be propagated through infected USB keys or networked drives. The malware has the basic features common in most RATs. It can download and execute additional malware execute shell commands read and write registry keys capture screenshots log keystrokes and snoop on webcams. Strong online support for Middle East home users The main reason for njRAT s popularity in the Middle East and North Africa is a large online community providing support in the form of instructions and tutorials for the malware s development. The malware s author also appears to hail from the region. njRAT appears to have been written by a Kuwait-based individual who uses the Twitter handle njq8. The account has been used to provide updates on when new versions of the malware are available to download. figure2_16.png Figure 2. The creator of njRAT announcing in a tweet that version 0.7 of njRAT is available to download. Symantec has also located the malware author s WordPress webpage, which redirects to another Blogspot webpage. The latter displays visitor statistics, indicating that majority of the blog s visitors come from Saudi Arabia as shown below figure3_10.png Figure 3. The visitor statistics of njq8 s Blogspot Web page Technical support and tutorials on using njRAT are widely available on the Web. Symantec has found numerous video tutorials in the Arabic language containing step-by-step processes for downloading and setting up the malware, including steps such as dynamic DNS naming for C C servers. This level of support enables attackers in the region to easily to build tools and server components for njRAT. figure4_8.png Figure 4. Description of a video tutorial of how to build an njRAT on hacking group MaDLeeTs s website figure5_6.png Figure 5. The latest three tutorials on Anonymous Iraq s YouTube channel are on obfuscating njRAT to evade antivirus software Hacker groups launch targeted attacks with njRATs Most njRAT users seem to be home users who are interested in online pranks such as spying on webcams or taking screenshots of victims computers. However, infections have also been recorded on the networks of a number of governments and political activists. Symantec has identified 487 groups of attackers mounting attacks using njRAT. These attacks appear to have different motivations, which can be broadly classed as hacktivism, information theft, and botnet building. One such group is the S.K.Y.P.E Tagged group, which has C C servers hosted in Egypt and Algeria. The group s vector for infection is a screensaver hosted on the file sharing site ge.tt. When victims download the compressed .rar file containing the screensaver, they get an executable containing njRAT. figure6_1.png Figure 6. The infected screensaver created by the S.K.Y.P.E Tagged group on the ge.tt file sharing site It is also interesting to note that the infected file hosted on ge.tt was dated November 20, 2012, because njRAT only became publicly available in June 2013. It would appear that njRAT had already been created prior to that date and it is likely that the malware was disseminated among small groups of people, such as on a closed Web forum, prior to its public release. Symantec has also observed that infection numbers spiked around the time this copy of njRAT was uploaded on ge.tt. The S.K.Y.P.E Tagged group uses two C C servers njratmoony.no-ip.biz and njr.no-ip.biz. The number of newly infected computers reporting to both servers spiked in October and November of 2012. figure7_1.png Figure 7. The daily infection rate of computers reporting to the S.K.Y.P.E Tagged group s C C servers, njratmoony.no-ip.biz and njr.no-ip.biz njRAT signals growing cybercrime community As large numbers of Middle Eastern attackers continue to use njRAT due to its accessibility, Symantec expects that they will try to find new ways of obfuscating the malware to evade detection by antivirus software. They are likely to continue to use njRAT since an Arabic speaking community and its Arabic author continue to provide support for the malware. The more advanced threat actors, such as hacker groups, may continue to use njRAT for targeted attacks in the short term. For example, a report by the Electronic Frontier Foundation EFF and Citizen Lab found that njRAT is one of a number of tools being used to target Syrian opposition groups during the Syrian conflict. However, Symantec anticipates that such groups will eventually depart from using publicly-available tools like njRAT and begin to develop their own tools and more advanced RATs for cyberattacks. Symantec detects this threat as Backdoor.Ratenjay.

Les mots clés de la revue de presse pour cet article : cybercrime
Les videos sur SecuObs pour les mots clés : cybercrime scene





Les derniers articles du site "Symantec Connect Security Response Billets" :

- What you need to know about election apps and your personal data
- Microsoft Patch Tuesday April 2016
- New Adobe Flash Player exploit used by Magnitude and Nuclear exploit kits
- Latest Intelligence for March 2016
- New Flash zero-day exploited by attackers in the wild
- Samsam may signal a new trend of targeted ransomware
- Four tax scams to watch out for this tax season
- Most prevalent Android ransomware in the West arrives in Japan
- Taiwan targeted with new cyberespionage back door Trojan
- Seven Iranians charged in relation to cyberattacks against US

---

S'abonner au fil RSS global de la revue de presse

---