The strange tale of ischhfd83 When cybercriminals eat their own

At Sophos X-Ops, we often get queries from our customers asking if they’re protected against certain malware variants. At first glance, a recent question seemed no different. A customer wanted to know if we had protections for ‘Sakura RAT,’ an open-source malware project hosted on GitHub, because of media claims that it had “sophisticated anti-detection capabilities.”

When we looked into Sakura RAT, we quickly realized two things. First, the RAT itself was likely of little threat to our customer. Second, while the repository did indeed contain malicious code, that code was intended to target people who compiled the RAT, with infostealers and other RATs. In other words, Sakura RAT was backdoored.

Given our previous explorations of the niche world of threat actors targeting each other, we thought we’d investigate further, and that’s where things got odd. We found a link between the Sakura RAT ‘developer’ and over a hundred other backdoored repositories – some purporting to be malware and attack tools, others gaming cheats.

To read the complete article see: Sophos Article

📖🔍