What is njRAT Malware?
njRAT, also called Bladabindi and Njw0rm is a remote access trojan which is used to remotely control infected machines. Because of its availability, excess of online tutorials and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.
This malware was detected for the first time in 2013, however, some related RATs have been observed by researchers in 2012. The highest surge of njRAT Trojan attacks was recorded in 2014 in the middle east, which is the most targeted region for this malware.
General description of njRAT
njRAT is built on .NET framework. This RAT gives hackers the ability to control the victim’s PC remotely. njRAT allows attackers to activate the webcam, log keystrokes and steal passwords from web browsers as well as multiple desktop apps.
In addition, the malware gives hackers access to the command line on the infected machine. It allows to kill processes as well as remotely execute and manipulate files. On top of that, njRAT is capable of manipulating the system registry. When infected, Bladabindi Trojan will collect several bits of information about the PC that it got into, including the name of the computer, operating system number, country of the computer, usernames and OS version.
Also, this malware is able to target cryptocurrency wallet applications and steal cryptocurrency from PCs. For example, it is known to be able to grab bitcoins and even access credit card information which sometimes can be stored in crypto apps as a means to purchase cryptocurrency.
After infecting a computer the malware uses a variable name and copies into %TEMP%,
%APPDATA%, %USERPROFILE%,%ALLUSERSPROFILE% or %windir% – a behavior not uncommon for this time of malware. It can also copy itself into
njRAT has a few tricks up its sleeve to avoid detection by antivirus software. For example, it uses multiple .NET obfuscators to obstruct its code. Another technique that this malware uses is disguising itself into a critical process. This does not allow the user to shut it down. This also makes jn RAT hard to remove from infected PCs. Bladabindi RAT can also deactivate processes that belong to antivirus software, allowing it to stay hidden. njRAT also knows how to detect if it has been run on a virtual machine which helps the attackers to set up countermeasures against researchers.
For spreading, njRAT can detect external hard drives connected via USB. Once such a device is detected, the RAT will copy itself onto the connected drive and create a shortcut.
Who created njRAT?
Creators of njRAT are members of an underground hacker community named Sparclyheason. Evidently, they have created a very popular and destructive malware. njRAT was classified as “severe” by Microsoft Malware Protection Center.
In fact, following a large malicious campaign in 2014, Microsoft shut down four million websites in an effort to filter traffic which was going through no-ip.com domains.
Interactive analysis of njRAT
ANY.RUN allows researchers to watch the njRAT in action in an interactive sandbox simulation.
Figure 1: Displays the lifecycle of njRAT in a visual form as a process graph generated by ANY.RUN malware hunting service
Figure 2: A customizable text report generated by ANY.RUN allows to take an even deeper look at the malware and helps to share the research results
njRAT execution process
In our simulation, after njRAT got into the target device and began execution it instantly started its malicious activity. Usually, the initial file renames itself and creates a child process. Sometimes njRAT Trojan injects its code into legitimate processes such as RegSvcs.exe and RegSvcs.exe.
The malware also has the ability to run itself through Task Scheduler. This child process executes the main malicious activity. Such activity includes stealing information, connecting to C2 servers and changing the autorun value in the registry to run itself when the operating system starts.
Distribution of njRAT
njRAT uses quite a few attack vectors to infect its victims. For example, the malware is known to target Discord users as part of spam campaigns. In addition, leverage cracks and keygens in well-known software in order to trick users.
Another known distribution method was through a compromised website which tricked users into downloading a fake Adobe product update which in turn installed njRAT malware to the PC. Bladabindi was also featured in spam email campaigns. In this case, it was delivered to potential victims as a malicious attachment.
How to detect NJRAT using ANY.RUN?
To determine whether the sample under review is njRAT or not, you can take a look at the changes that it made in the registry. To do so, open "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created a key with the name [kl] into the path HKEY_CURRENT_USER\Software\32_characters_and_digits, you can be sure that the given sample is njRAT.
Figure 3: Сhanges made by njRAT in registry
The relative ease of operation, multiple tutorials on how to set up this malware and very extensive information stealing featureset have made this RAT one of the most popular remote access trojans in the world.
Even though the peak of its activity was recorded in 2014 and targeted mostly middle east and India, njRAT Trojan remains to be extremely popular today. This malware is known to have targeted both private and corporate victims and poses a lot of danger to internet users, especially considering that it can be delivered to potential victims in several ways, and preventing infection is much harder in some cases than in others.
Even though Bladabindi malware creators have taken several steps to hinder the analysis, malware hunting services like ANY.RUN allow professionals to easily study njRAT malware samples and share the research results with the world to improve the global cybersecurity.