njRAT

Description

(Carbon Black) njRAT is a Remote Access Trojan (RAT) that will silently collect and steal sensitive information such as login credentials. It can also perform keylogger monitoring, remote desktop control, installing additional malicious software, and many other malicious activities on the victim’s computer. In addition, njRAT is still a malware family that is being actively distributed via various methods such as spear-phishing, malvertising, exploit kits and other techniques. Figure 1 shows a screenshot for the njRAT Panel Menu.

Depending on the configuration taken from the attackers in njRAT panel, the features it provided can be used to perform malicious activities such as stealing sensitive data/information, disabling security software, install additional malicious payload to the victim’s computer and many more harmful actions. Upon the execution of njRAT, it will connect to the command and control (C&C) server, allowing the attacker to perform malicious activity on the victim’s machine.

Other than that, it will create copies of itself in the %Temp% folder and rename itself by masquerading as a legitimate binary. In this example it was renamed to ‘svhost.exe’ which is trying to imitate ‘svchost.exe’. Furthermore, it tries to hide its persistence from the user by setting the file attributes as ‘Hidden’ onto the original and the copy of the binary.

Moreover, it will also make a copy of itself in the “%AppData%\Microsoft\Windows\Start Menu” folder and create or modify the registry key for persistence to ensure it will be executed on startup. The following event logs from CB Threat Hunter shown below display the relevant events.

Names

Name
njRAT
Bladabindi
Jorik

Category

Malware

Type

• Backdoor
• Keylogger
• Credential stealer
• Info stealer
• Downloader
• Exfiltration

Information

• https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-njrat/
• http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf
• http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf
• http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/
• https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services
• https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
• https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/
• https://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers

Mitre Attack

• https://attack.mitre.org/software/S0385/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:njRAT

Other Information

Uuid

a442ea06-de48-42e2-beb3-7f2ce7a438b5

Last Card Change

2021-01-20