HHHH: How Hackers Hack Hackers

The recipe for a classic cyber-attack includes two opposing parties: the offender and the victim. Traditionally, the former is a “lone wolf” criminal or a hacking group with evil intentions, and the latter is an innocent individual or an organization possessing valuable data or other sensitive digital assets that the adversary may want to go after.

In some scenarios, though, this logic undergoes a tweak that does not seem to get along with common sense. Malicious actors and their victims may end up in the same boat and suffer the consequences of a compromise orchestrated by other evildoers.

What makes crooks turn the usual attack workflow upside down and target like-minded felons? It depends. The weird role-switching game could be a way to knock competing criminals out of their malicious business. It may as well be an anonymous good samaritan’s move aimed at helping the intended victims avoid problems. In some cases, present-day Robin Hoods satisfy their ego by demonstrating their technical superiority over seasoned malefactors.

One way or another, it is regular users and businesses that benefit from counterintuitive hacks like that. The cases below show that hackers are not necessarily the only predators in the online threat landscape and may be hunted down by dexterous rivals.

Emotet botnet operators reaping what they sow

Emotet debuted in 2014 as an info-stealing campaign with a focus on banking credentials. As time went by, it was repurposed to spread malware that gains a foothold in a computer system and downloads extra payloads surreptitiously. To this end, its unscrupulous proprietors leverage a network of malicious or compromised websites storing harmful code.

Scam network stealThis cybercrime operation hinges on spam to lure users into visiting booby-trapped pages. In most scenarios, the fraudulent emails instruct recipients to open an attached Office document and enable macros in it. This slip-up triggers a malware download from a sketchy site behind the scenes.

In late July 2020, the success of the Emotet group’s activities started to dwindle. Security analysts found that someone had replaced malicious payloads on many web pages constituting the underlying botnet with amusing memes and animated Imgur GIFs.

One of these substitutes is the Hackerman meme. Another is an image of American celebrity James Franco. There are a few more laughable memes making the bad guys frown. According to security analysts, roughly a quarter of all payloads were serving silly GIFs instead of harmful applications when this hack was discovered.

Some spam emails spawned by Emotet operators arrive with a malware-riddled attachment on board, while others include hyperlinks that the would-be victim is instructed to click. The trick pulled off by the “white knight,” as researchers have dubbed him, works in the latter case.

Experts argue that the hack was most likely set in motion by obtaining access credentials for the open-source web shell used by the Emotet crew to control their malware-spreading botnet. It means that the crooks can get back on track sometime soon by replacing these passwords. In fact, they appear to be busy regaining access already. Some memes have already been replaced with scripts that reroute users to fake surveys wheedling out sensitive info.

Hacking tools poisoned by malware

The fact that the Dark Web is swarming with turnkey hacking tools is nothing new. These are either full-blown offensive utilities or cracked versions of them that use key generators to unleash all the adverse features. According to the findings of the Cybereason Nocturnus team, someone has been uploading decoy builds of these applications to hacking forums and websites frequented by threat actors.

The original installers are modified and laced with njRAT, a notorious Remote Access Trojan. Also known as Bladabindi, this dodgy code allows the double-dealing perpetrators to maintain backdoor access to other attackers’ systems. This way, the malefactors can perform reconnaissance and harvest data about their competitors’ modus operandi. The Trojan gives its operators full access to the plagued system’s files, passwords, web cam, and microphone.

Whereas the deceived attackers who end up installing the repurposed tools are getting what they deserve, this intricate operation has a caveat that puts regular users at risk as well. Whoever is behind these offbeat shenanigans gets access not only to other criminals’ computers, but they can also open a backdoor to innocent users’ machines previously compromised by the original targets.

The researchers also found that these malicious actors are coining new knockoff hacking tools on a daily basis. They mostly host their payloads on previously breached WordPress installations that have unpatched vulnerabilities.

Web skimming crooks outsmart competitors

In 2018, two cybercriminal groups operating under the wide umbrella of the so-called MageCart operation were waging a cyberwar. The confrontation broke out after this cartel compromised the website of Umbro Brazil and injected web skimming code into it. On a side note, this foul play allows criminals to exploit scripts loaded on e-commerce sites during checkout and thereby intercept buyers’ credit card information.

Following the successful hack, a crew of threat actors leveraged surreptitious code that detects other web skimming instances on a server. If it spots another skimmer doing its job, it seizes the stolen payment information and modifies the last digit in each credit card number before these details go to the rival.

Interestingly, the meticulous attackers did not use the correct card numbers themselves. What they ultimately wanted to do is ruin the competitors’ reputation. Here is how.

Once skimmers amass a database of payment credentials, they sell it on the black market to whoever offers the highest bid. If these details turn out to be inaccurate and the angry buyer spreads the word about it, nobody will ever want to deal with these sellers again. In plain words, the criminals will have to close up shop at the end of the day. In this particular case, one group of MageCart attackers was trying to wreck the business of another.

The curious case of rogue online pharma hacks

One of the reasons why the shady Internet pharmacy business was thriving in the late 2000s was because a group of disreputable Russian entrepreneurs built several empires promoting fake online drug stores. The breadcrumbs spilled by the parties behind these hoaxes led to a trio of huge online pharma affiliate networks that were active at the time: Glavmed, SpamIt, and Rx-Promotion. For the record, the first two companies on the list were attributed to the same criminals.

In summer 2010, as-yet-unknown individuals hacked the database for SpamIt and Glavmed and leaked this information to Brian Krebs, a well-known investigative journalist. It included a plethora of emails, chat logs, and financial documents related to these campaigns. Having analyzed the incriminating records, the researcher posted a series of articles shedding light on the inner workings of these dirty businesses.

Based on this data, Krebs found close ties between the pharma kingpins and Grum, the world’s most prolific spam botnet operating back in the day. He also unveiled details about the most successful pharma affiliates, including their lifestyle, victim count, and botnet servers they used.

In addition to unearthing this database, the unidentified hackers also compromised ChronoPay, one of the top online payment processing networks in Russia back then. It gained a bad reputation for being allegedly involved in credit card processing for massive fake antivirus and adware frauds. This company’s top executive Pavel Vrublevsky had purportedly co-founded the above-mentioned Rx-Promotion dodgy Internet pharmacy.

These hacks divulged the ins and outs of rogue online drug stores and major spam campaigns underlying them. The evidence was also used to pinpoint the proprietors of these criminal organizations. It is within the realms of possibility that we are now seeing little pharma spam because some ne’er-do-wells sabotaged their rivals a decade ago. Owing to Brian Krebs, this move gained enough publicity to cause a dramatic decline in these abominable operations.

The bottom line

Malicious actors in the cybercrime arena are not necessarily friends. They can be foes. Greed, jealousy, and personal ambitions often eclipse their moral principles and encourage them to target each other. Sometimes, though, black hats act like white knights who save potential victims the trouble of recovering from detrimental attacks. What all of these cases have in common is that criminals – at least some of them – are the losers. That is definitely good news for everyone on the other side of the fence.

Save 40%

On monthly and annual plans

Lifetime Deals

Only during BF sales!




We won't spam you. Unsubscribe any time.

Wait! Before you go!

Get 10% discount for any WP Security Ninja plan!


Subscribe to our newsletter for new releases, discounts and general WordPress Security news. Sprinkled with other interesting stuff :-)

WordPress Turns 20: Save 20% Now!



Code valid till June 26th 2023

10% OFF

Subscribe to our newsletter

* We do not spam or share your email

Discount on any Security Ninja plan

and get

Hi and welcome back :-)