First identified as active in November 2012, ‘njRAT’, also known as ‘Bladabindi’ or ‘Njw0rm’, is a well established and prevalent remote access trojan (RAT) threat that was initially created by a cybercriminal threat group known as ‘Sparclyheason’ and used to target victims located in the Middle East. Undoubtedly following the source code leak, reportedly in May 2013, njRAT has become widely available on the cybercriminal underground with numerous variants being released over the years.
As is to be expected from any popular RAT threat, njRAT targets Microsoft Windows-based systems with common capabilities including:
- Remote control and view
- File execution, manipulation and transfer
- Remote shell
- Windows registry manipulation
- Audio and video record (via the microphone and webcam)
- Password stealer
Often indiscriminately targeting individuals and organizations, njRAT has been observed as delivered via malicious unsolicited email (malspam) campaigns as well as within weaponized versions of legitimate software. Furthermore, reinforcing the adage that there is no ‘honour among thieves’, weaponized versions of malicious tools, possibly including the RAT itself, and copyright-infringing downloads, such as those obtained via peer-to-peer file sharing networks, have been used to deliver njRAT to other unscrupulous individuals.
Malicious unsolicited email (malspam) campaigns culminating in the installation of njRAT were observed during October 2020 as utilizing a common ‘shipment tracking’ theme, mimicking popular courier and postal services, to deliver a Zip-compressed archive attachment containing an encoded Visual Basic script (VBE) payload.
Having been lured into opening the attachment, the VBE payload sends a ten character random string via a HTTP POST to a command and control (C2) server that responds with base64 data that, along with the random string, is saved in a Windows registry key. Subsequently, the VBE payload downloads the njRAT executable from a hard-coded URL, saved within the victim’s ‘Startup’ directory for persistence, before being launched.
Weaponized Legitimate Installer
Masquerading as a legitimate applications installer uploaded to file-sharing services, victims inadvertently downloading content from unofficial sources risk received njRAT alongside their desired application.
Upon execution, the legitimate installation proceeds in the foreground whilst Visual Basic and PowerShell scripts, or an executable, are dropped into the victim’s ‘Startup’ directory for persistence and launched to download the njRAT payload.
To evade detection, an encoded, obfuscated and potentially encrypted njRAT payload masquerading as an image file is hosted on a legitimate file-sharing service, such as Dropbox or Microsoft OneDrive. This tactic reduces the likelihood of blocking or detection, especially given the use of a legitimate service often utilized within the enterprise and appearing as a benign filetype that might not normally be subject to inspection.
Once downloaded, njRAT is decoded and decrypted prior to being injected into a legitimate process and launched.
Command & Control
Having been compromised via one of the various delivery methods, njRAT victim machines will call home to the threat actor’s command and control (C2) server.
Provided as a Windows executable and therefore not requiring any specific server configuration, unlike web-based threats, njRAT provides a simple C2 interface allowing the threat actor to easily interact with victim machines (Figure 1).
Figure 1 – Command & Control (Video capture of ‘njRAT v0.7d Green Edition’)
Based on recent observations, many threat actors deploying njRAT appear to favour Dynamic DNS (DDNS) hostnames and in doing so are able to update the C2 IP address, to which the DDNS hostname resolves, without the need to rebuild and redistribute the malicious njRAT payload.
No doubt adding to its appeal amongst lower-sophistication threat actors, an easy to use ‘builder’ application provides a simple interface (Figure 2) through which the payload can be configured.
Figure 2 – Builder (Video capture of ‘njRAT v0.7d Green Edition’)
In addition to being able to configure the malicious executable’s appearance and the persistence method, via a registry key or the Windows ‘Startup’ folder, command and control (C2) hosts are specified to allow the threat to ‘call home’ to the C2 component.
The final delivery method utilized is no doubt dependent on the sophistication and ingenuity of the threat actor, especially given that the njRAT toolset does not appear to provide any kind of ‘cryptor’ or ‘packer’.
Whilst there are some ‘as-a-service’ offerings on underground forums and marketplaces, such as offering to provide a prebuilt ‘undetectable’ njRAT payload and preconfigured C2, lower sophistication threat actors may simply attempt to deliver ‘built’ njRAT executables to potential victims that will be easily detectable by endpoint and network security solutions.
Conversely, those paying for access to pre-configured njRAT services or those with greater capabilities are more likely to employ evasion tactics, such as encrypting and packing the malware binary, as well as crafting convincing lures that maximize the chances of a successful campaign.
- Educate users on the risks of opening attachments or links from unsolicited emails.
- Educate users on the subtle difference between legitimate and malicious URLs, such as the use of Dynamic DNS services or typo-squat domains.
- Only download applications from legitimate trustworthy sources.
- Consider preventing the execution of script interpreters, such as PowerShell and VBScript, to prevent their misuse.
Indicators of Compromise
The following indicators of compromise (IOC) are consistent with recent campaigns and, as such, variations on the same theme may identify additional njRAT activity.
Command & Control (C2)
- HTTP GET .php?getserver=
- HTTP POST /crypt.php
- “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<FILENAME>.exe”