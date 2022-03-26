A new trend in cyber scams has been discovered and this time it’s hackers stealing from other hackers. Security analysts from two companies have detected several cases of hackers attacking others through forums frequented by hackers, such as “Russia black hat”, hyping programs that actually contain malware.

On the one hand, the malware that spreads hides in cracked RATs (i.e. Remote Code Execution or Trojan, or Remote Access Trojan) or in tools to create new malware. Everything points to the fact that the most expert hackers have as their potential victims others who are starting or learning and who use these forums to obtain programs that help them spread software.

That is, a cybercriminal offers programs, a hacker buys it to infect third parties, but it turns out he is the one who falls into that trap set by others with more experience. Inexperienced threat actors want to take advantage of the opportunity to access free malware they find on darkweb or loosely moderated sites and execute it on their systems.

Cracked versions of BitRAT and Quasar RAT





ASEC researchers observed bogus clipboard hijacker offers on hacking forums where criminals seek to lure would-be hackers with cracked versions of BitRAT and Quasar RAT. Both are consumer malware typically priced between $20 and $100.

Those who try to download any of the offered files are directed to an Anonfiles page that delivers a RAR file that is a constructor of the selected malware. After this, they discovered that the “crack.exe” file that comes in these files is actually a ClipBanker installer, which copies the malicious binary to the startup folder and executes it on the first reboot. Therefore, the one who gets infected is the hacker.

A free knife from AvD Crypto Stealer





A second report on this technique comes from the Cyble company: analysts found in a cybercrime forum a free month offer of AvD Crypto Stealer. Also in this case, victims download what is supposed to be a malware builder. But downloading it launches an executable called ‘Payload.exe’, assuming this will give them free access to the Crypto Stealer.

Then this malware identifies addresses of cryptocurrency wallets or crypto wallets and replaces them with one belonging to the malware operator.

This action ends up infecting systems with a clipper that has like objetivo Ethereum, Binance Smart Chain, Fantom, Polygon, Avalanche y Arbitrum. Cyble has discovered an encrypted Bitcoin address that has received 1.3 BTC (about $54,000) after hijacking 422 transactions.