Hacker Distributes Backdoored IoT Vulnerability Scanning Script to Hack Script Kiddies

If you are searching for free hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a scam.

For example, Cobian RAT and a Facebook hacking tool that we previously reported on The Hacker News actually could hack, but of the one who uses them and not the one you desire to hack.

Now, a security researcher has spotted another hacking tool—this time a PHP script—which is freely available on multiple popular underground hacking forums and allows anyone to find vulnerable internet-connected IP Cameras running the vulnerable version of GoAhead embedded web-server.
However, after closely analysing the scanning script, Newsky Security researcher Ankit Anubhav found that the tool also contains a secret backdoor, which essentially allows its creator to “hack the hacker.”
“For an attacker’s point of view, it can be very beneficial to hack a hacker,” Anubhav said.
“For example, if a script kiddie owns a botnet of 10,000 IoT and if he gets hacked, the entire botnet is now in control of the attacker who got control of the system of this script kiddie. Hence, by exploiting one device, he can add thousands of botnets to his army.”
The rise of IoT botnet and release of Mirai’s source code—the biggest IoT-based malware threat that emerged last year and took down Dyn DNS service—has encouraged criminal hackers to create their massive botnet either to launch DDoS attacks against their targets or to rent them to earn money.

As shown in the self-explanatory flowchart, this IoT scanning script works in four steps:
First, it scans a set of IP addresses to find GoAhead servers vulnerable to a previously disclosed authentication bypass vulnerability (CVE-2017-8225) in Wireless IP Camera (P2P) WIFI CAM devices.
In the background, it secretly creates a backdoor user account (username: VM | password: Meme123) on the wannabe hacker’s system, giving the attacker same privilege as root.
Script also extracts the IP address of the wannabe hacker, allowing script author to access the compromised systems remotely.
Moreover, it also runs another payload on the script kiddie’s system, eventually installing a well-known botnet, dubbed Kaiten.
This tool is another example of backdoored hacking tools increasingly being distributed at various underground forums to hack the hacker.
In September, a backdoored Cobian RAT builder kit was spotted on multiple underground hacking forums for free but was caught containing a backdoored module that aimed to provide the kit’s authors access to all of the victim’s data.

Last year, we reported about another Facebook hacking tool, dubbed Remtasu, that actually was a Windows-based Trojan with the capability to access Facebook account credentials, but of the one who uses it to hack someone else.

The bottom line: Watch out the free online stuff very carefully before using them.

Source: TheHackerNews