Researchers recently discovered malicious activities involving multiple infostealer RATs and mining malware, and named the activity “HydroJiin”. Attackers are engaged in the business of selling malware and lurking in various forums, which are common meeting places for junior to mid-level cybercriminals. Researchers speculate that the malware author is conducting a wide range of activities involving different commodities and custom malware to be sold in the underground market.
The scope of the activity is currently unclear. The campaign used many different techniques to increase the chances of successfully infiltrating the organization. The campaign utilizes various payloads and infection vectors from commercial RATs to custom malware, email spam, backdoors/disguised as cracked software, and other decoys.
The following are the characteristics of the malicious activity:
● Multi-level infection chain
● Customized python-based backdoor deployed with other RATs (Netwired and Quasar)
● Python backdoor command check function for MacOS indicates that more cross-platform functions may appear in the future.
● The activity is related to the attacker, who also participated in the distribution of multiple malicious tools through a special malware e-commerce website
● The backdoor malware payload is similar to the CobianRAT case
● A large amount of pastebin is used to host the encoded payload
The infection chain is as follows:
The infection begins with the delivery of a downloader that downloads multiple payloads. It is currently impossible to confirm the distribution method of this downloader, but the researchers suspect that the attacker used spam and cracked software. Once the attacker gains initial access, the downloader will download three files:
● Injector-used to inject the downloaded payload into a legitimate process.
● Netwired RAT-a commercial RAT malware used to control infected systems and steal information.
● DownloaderShellcode-Obfuscates the Meterpreter-based shellcode to download more payloads.
● This shellcode downloads a Pyrome python backdoor. Socat and xmrig mining programs will also be downloaded, and finally the xmrig mining program will download another RAT called Quasar.
Researchers believe that the campaign was initiated by attackers aliased as “Hydro” and “JiiN” . The attacker has been active on forums such as hackforums..net since 2010, and has been active on YouTube since at least 2007. Initially, the attacker participated in game modules and cracking, and eventually entered the field of malware. Researchers confidently believe that the attacker is from a French-speaking region.
Another alias used by the attackers is JiiN, which operates a malware store called JiiN shop at “xmr -services [.]com”. Based on these two aliases, we call this event the actor HydroJiin.
HydroJiin has been in the malware business for some time. He not only sells a variety of malware, but also runs his own malicious activities. This attacker may not be considered very advanced, but he uses various tools, techniques, and methods to continuously increase the chances of successful attacks.