Remote Access Tools or RATs are malware that are authored to be used to control networks of computers, known as botnets. The malware authors or owners then use this botnets to mount massive DDoS campaigns against adversaries through the compromised computer. The authors can also use the compromised computers to launch a spamming campaign or use it for sniffing traffic. Some botnets can also enable keylogging to steal user name passwords etc. All in all the RATs are dangerous weapons in wrong hands. Symantec has been analysing a RAT named njRAT (Backdoor.Ratenjay) and come to the conclusion that it is the most favoured RAT for the users in the Middle Eastern countries.
Symantec says it analyzed about 721 samples of njRAT and discovered that it is highly popular in the Middle Eastern and North African regions of Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya.
Symantec uncovered a fairly large number of infections, with 542 control-and-command (C&C) server domain names found and 24,000 infected computers worldwide. It says that almost 80 percent of the C&C servers, it discovered, were located in above regions. Symantec also found that the majority of the C&C server IP addresses were traced to ADSL lines. This Symantec says, indicates that most attackers using the malware could be home users in the Middle Eastern region.
njRAT shares its most features with common RATs available in the wild worldwide. It can carry and execute a additional payload, execute shell commands; read and write registry keys; capture screenshots; log keystrokes; and snoop on webcams. njRAT was first noticed in the wild in June 2013 and as of today it has 3 versions which are live and kicking around the world. The most preferred medium of propagation of njRAT is a USB drive or a networked drive.
Symatec reasons that it is popular in the Middle East because first of all, it is written by a Kuwait based author who uses the Twitter handle of @njq8. The author also provides updated versions of the njRAT through this Twitter account. As the malware author is from the region so are the online communities providing tutorials, support and instructions about using the malware. Most of these online communities are based in Middle East and use Arabic as preferred language of communication.
Another reason is that the Middle East is now the hot bed of socio -political activities and hacktivist who support the different movements like #OpFreeSyria, #OpArabia, #OpSaudi, #OpIsrael and so on. The most vociferous and lethal hackers are now operating out of Syria or are supporters of pro Syrian rebels or pro Assad regime. The hackers need ‘Zombie’ computers to launch any meaningful attack on their adversaries and njRAT is a perfect foil for them. One such group is the S.K.Y.P.E/Tagged group, which has C&C servers hosted in Egypt and Algeria. The group’s vector for infection is a screensaver hosted on the file sharing site ge.tt. When victims download the compressed .rar file containing the screensaver, they get an executable containing njRAT.
Resource : Symantec