njRAT

njRAT is a remote access Trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Type
Trojan
Origin
Middle East
First seen
1 January, 2013
Last seen
18 January, 2020
Also known as
Bladabindi
Njw0rm
Global rank
10
Week rank
11
Month rank
7
IOCs
1921

What is njRAT Malware?

njRAT, also called Bladabindi and Njw0rm is a remote access trojan which is used to remotely control infected machines. Because of its availability, excess of online tutorials and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

This malware was detected for the first time in 2013, however, some related RATs have been observed by researchers in 2012. The highest surge of njRAT Trojan attacks was recorded in 2014 in the middle east, which is the most targeted region for this malware.

General description of njRAT

njRAT trojan is built on .NET framework. This RAT gives hackers the ability to control the victim’s PC remotely. njRAT allows attackers to activate the webcam, log keystrokes and steal passwords from web browsers as well as multiple desktop apps.

In addition, the malware gives hackers access to the command line on the infected machine. It allows to kill processes as well as remotely execute and manipulate files. On top of that, njRAT is capable of manipulating the system registry. When infected, Bladabindi Trojan will collect several bits of information about the PC that it got into, including the name of the computer, operating system number, country of the computer, usernames and OS version.

Also, this malware is able to target cryptocurrency wallet applications and steal cryptocurrency from PCs. For example, it is known to be able to grab bitcoins and even access credit card information which sometimes can be stored in crypto apps as a means to purchase cryptocurrency.

After infecting a computer the malware uses a variable name and copies into %TEMP%, %APPDATA%, %USERPROFILE%,%ALLUSERSPROFILE% or %windir% – a behavior not uncommon for this time of malware. It can also copy itself into <any string>.exe, to ensure that it will be activated every time the victim switches on their computer.

njRAT trojan has a few tricks up its sleeve to avoid detection by antivirus software. For example, it uses multiple .NET obfuscators to obstruct its code. Another technique that this malware uses is disguising itself into a critical process. This does not allow the user to shut it down. This also makes jn RAT hard to remove from infected PCs. Bladabindi RAT can also deactivate processes that belong to antivirus software, allowing it to stay hidden. njRAT also knows how to detect if it has been run on a virtual machine which helps the attackers to set up countermeasures against researchers.

For spreading, njRAT can detect external hard drives connected via USB. Once such a device is detected, the RAT will copy itself onto the connected drive and create a shortcut.

Who created njRAT?

Creators of njRAT are members of an underground hacker community named Sparclyheason. Evidently, they have created a very popular and destructive malware. njRAT was classified as “severe” by Microsoft Malware Protection Center.

In fact, following a large malicious campaign in 2014, Microsoft shut down four million websites in an effort to filter traffic which was going through no-ip.com domains.

njRAT malware analysis

ANY.RUN allows researchers to watch the njRAT in action in an interactive sandbox simulation.

njRAT execution process graph

Figure 1: Displays the lifecycle of njRAT in a visual form as a process graph generated by ANY.RUN malware hunting service

text report of the njRAT malware analysis

Figure 2: A customizable text report generated by ANY.RUN allows to take an even deeper look at the malware and helps to share the research results

njRAT execution process

In our simulation, after njRAT got into the target device and began execution it instantly started its malicious activity. Usually, the initial file renames itself and creates a child process. Sometimes njRAT Trojan injects its code into legitimate processes such as RegSvcs.exe and RegSvcs.exe.

The malware also has the ability to run itself through Task Scheduler. This child process executes the main malicious activity. Such activity includes stealing information, connecting to C2 servers and changing the autorun value in the registry to run itself when the operating system starts.

Distribution of njRAT

njRAT trojan uses quite a few attack vectors to infect its victims. For example, the malware is known to target Discord users as part of spam campaigns. In addition, leverage cracks and keygens in well-known software in order to trick users.

Another known distribution method was through a compromised website which tricked users into downloading a fake Adobe product update which in turn installed njRAT malware to the PC. Bladabindi was also featured in spam email campaigns. In this case, it was delivered to potential victims as a malicious attachment.

How to detect NJRAT using ANY.RUN?

To determine whether the sample under review is njRAT or not, you can take a look at the changes that it made in the registry. To do so, open "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created a key with the name [kl] into the path HKEY_CURRENT_USER\Software\32_characters_and_digits, you can be sure that the given sample is njRAT.

njrat registry changes Figure 3: Сhanges made by njRAT in registry

Conclusion

The relative ease of operation, multiple tutorials on how to set up this malware and very extensive information stealing feature set have made this RAT one of the most popular remote access trojans in the world.

Even though the peak of its activity was recorded in 2014 and targeted mostly the middle east and India, njRAT Trojan remains to be extremely popular today. This malware is known to have targeted both private and corporate victims and poses a lot of danger to internet users, especially considering that it can be delivered to potential victims in several ways, and preventing infection is much harder in some cases than in others.

Even though Bladabindi malware creators have taken several steps to hinder the analysis, malware hunting services like ANY.RUN allows professionals to easily study njRAT malware samples and share the research results with the world to improve global cybersecurity.

IOCs

IP addresses
192.169.69.25
87.117.235.116
46.246.4.81
181.52.109.69
185.198.26.245
46.246.12.71
162.200.139.146
3.19.114.185
81.61.77.92
199.254.238.201
193.161.193.99
181.58.155.117
186.147.55.19
181.58.154.33
199.254.238.216
3.19.3.150
79.134.225.70
199.254.238.196
45.11.19.240
79.134.225.105
Hashes
220418d764e445966c40dbc2a6acb407d28dda077f548e9cc1b2437508a6c1d6
b4897d4d2001e60c57b0ce705831f09ef0619bb2c7b5f912e6edf82d4a175376
ab6ee989dfcc7413696c24825c69d576c16311c787d90e7228dc7bfda78f0578
c47ad8a29cf0780dcad8813e5048bed59df153cd888c1c9cc81df18d4a7aa9f3
85cd36c99b3d52997ebf242ab5f2e3c6b6f31bd122e4aced6ab55d0015cd2924
387cdd1c794ad797616d241f8bfca2b0a2153c626afdaeccf6d2962a86890e90
da09e0bff7d25dbd8f6565541502fac5c3b58fa21e85905b366693f140d42369
3b33c94883f414de2dfc1a71de876da8f566845097f64df94cad56546392667f
c3df3dc29eddf9febe5d4615c4fcc23d66802108e0c556e0362e9d085d86e759
2e6dee3c2b2759256774bab701ebbf8aa02f473e11d55d19fd22cf65b4c2ded2
826e2107d43187d915582a752dd480fc5ab26390c7475890e7119a5ee4543e71
4db9ca6f5860e08eb43e668fb5fdb637bbc9a33c5061c81ecc02d597e439341a
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
0caaa2927af1c377c40f7cabe4576e0ac1a4e7e3e7c427d3b5544d8cb2d6a258
31baa9c9719b59809c7790cd4301c3bdc7678fdecf3799a1b91bdb1c76a35c2c
2ae1f04cf13917cc749a9001ae8aa2fb318eb3143b2be4b93eee3bcab4fcd39d
161321fa1778c601ab7d2723aef5bee5193db8650258c7e38f5324d02cc35a77
65281bd0538b4d688fab8eab73cba0c3f311f0386d3f87631021df9c6094700b
9ed949125f75914093de6a558ab024396e4a11051b5ff55c3128f5e4e494a8e7
14ce399fdd253df979fa369daeaeec88b785f661f2b288000345746a3ddb78a1
Domains
qxq.ddns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
vemvemserver.duckdns.org
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org
bproduction.duckdns.org
jfcolombia001.duckdns.org
office365update.duckdns.org
kosovo.duckdns.org
codazzixtrem.duckdns.org
mrmarkangel.duckdns.org
anglekeys.duckdns.org
dephantomz.duckdns.org
wiskiriskis1982.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More