Information protection company Symantec has observed growth in indigenous groups of attackers in the Middle East and North Africa centered around a simple piece of malware known as njRAT.
It said although njRAT is similar in capability to many other remote access tools (RATs), it is developed and supported by Arabic speakers, resulting in its popularity among attackers in the region.
“The malware can be used to control networks of computers, known as botnets. While most attackers using njRAT appear to be engaged in ordinary cybercriminal activity, there is also evidence that several groups have used the malware to target governments in the region,” it said.
The company analyzed 721 samples of njRAT and uncovered a large number of infections, with 542 control-and-command (C&C) server domain names found and 24,000 infected computers worldwide.
About 80 per cent of the C&C servers were located in regions in the Middle East and North Africa, including Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya.
Symantec said: “njRAT is not new on the cybercrime scene. It has been publicly available since June 2013 and three versions have already been released, all of which can be propagated through infected USB keys or networked drives.”
It linked njRAT’s popularity in the Middle East and North Africa to the availability of a large online community providing support in the form of instructions and tutorials for the malware’s development. The malware’s author also appears to hail from the region.
“Most njRAT users seem to be home users who are interested in online pranks such as spying on webcams or taking screenshots of victims’ computers. However, infections have also been recorded on the networks of a number of governments and political activists,” Symantec.