There are 487 groups actively using njRAT malware, claiming the malicious users have managed to infect 24,000 machines worldwide, researchers said.
The hackers are using the njRAT malware for a variety of purposes, said Symantec threat lab researchers said in a blog post.
“Symantec has identified 487 groups of attackers mounting attacks using njRAT. These attacks appear to have different motivations, which can be broadly classed as hacktivism, information theft and botnet building,” the researchers said.
“The malware can be used to control networks of computers, known as botnets. While most attackers using njRAT appear to be engaged in ordinary cyber-criminal activity, there is also evidence that several groups have used the malware to target governments in the region.”
Symantec said the attacks mainly originate from the Middle East, though they infected thousands of systems worldwide.
“Symantec analyzed 721 samples of njRAT and uncovered a fairly large number of infections, with 542 control and command (C&C) server domain names found and 24,000 infected computers worldwide,” the researchers said.
“Nearly 80 percent of the C&C servers were located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya. ”
The njRAT malware is a simple attack tool that originally appeared for download on several black market forums in June 2013.
The malware grants hackers basic powers, such as the ability to download and execute additional malware on infected systems, execute shell commands, read and write registry keys, capture screenshots, log keystrokes and hijack control of webcams.
The Symantec researchers said they expect hackers’ interest in njRAT to end fairly quickly, as the new hacker groups realize its limitations and move on to more advanced malware.
“The more advanced threat actors, such as hacker groups, may continue to use njRAT for targeted attacks in the short term,” the researchers said.