njRAT

njRAT is a remote access Trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Type
Trojan
Origin
Middle East
First seen
1 January, 2013
Last seen
19 January, 2021
Also known as
Bladabindi
Njw0rm
Global rank
7
Week rank
2
Month rank
2
IOCs
10532

What is njRAT Malware?

njRAT, also called Bladabindi and Njw0rm is a remote access trojan that is used to remotely control infected machines. Because of its availability, excess of online tutorials and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

This malware was detected for the first time in 2013, however, some related RATs have been observed by researchers in 2012. The highest surge of njRAT Trojan attacks was recorded in 2014 in the middle east, which is the most targeted region for this malware.

General description of njRAT

njRAT trojan is built on .NET framework. This RAT gives hackers the ability to control the victim’s PC remotely. njRAT allows attackers to activate the webcam, log keystrokes and steal passwords from web browsers as well as multiple desktop apps.

In addition, the malware gives hackers access to the command line on the infected machine. It allows to kill processes as well as remotely execute and manipulate files. On top of that, njRAT is capable of manipulating the system registry. When infected, Bladabindi Trojan will collect several bits of information about the PC that it got into, including the name of the computer, operating system number, country of the computer, usernames and OS version.

Also, this malware is able to target cryptocurrency wallet applications and steal cryptocurrency from PCs. For example, it is known to be able to grab bitcoins and even access credit card information which sometimes can be stored in crypto apps as a means to purchase cryptocurrency.

After infecting a computer the malware uses a variable name and copies into %TEMP%, %APPDATA%, %USERPROFILE%,%ALLUSERSPROFILE% or %windir% – a behavior not uncommon for this time of malware. It can also copy itself into <any string>.exe, to ensure that it will be activated every time the victim switches on their computer.

njRAT trojan has a few tricks up its sleeve to avoid detection by antivirus software. For example, it uses multiple .NET obfuscators to obstruct its code. Another technique that this malware uses is disguising itself into a critical process. This does not allow the user to shut it down. This also makes njRAT hard to remove from infected PCs. Bladabindi RAT can also deactivate processes that belong to antivirus software, allowing it to stay hidden. njRAT also knows how to detect if it has been run on a virtual machine which helps the attackers to set up countermeasures against researchers.

For spreading, njRAT can detect external hard drives connected via USB. Once such a device is detected, the RAT will copy itself onto the connected drive and create a shortcut.

Who created njRAT?

Creators of njRAT are members of an underground hacker community named Sparclyheason. Evidently, they have created a very popular and destructive malware. njRAT was classified as “severe” by Microsoft Malware Protection Center.

In fact, following a large malicious campaign in 2014, Microsoft shut down four million websites in an effort to filter traffic which was going through no-ip.com domains.

njRAT malware analysis

ANY.RUN allows researchers to watch the njRAT in action in an interactive sandbox simulation.

njRAT execution process graph

Figure 1: Displays the lifecycle of njRAT in a visual form as a process graph generated by ANY.RUN malware hunting service

text report of the njRAT malware analysis

Figure 2: A customizable text report generated by ANY.RUN allows to take an even deeper look at the malware and helps to share the research results

njRAT execution process

In our simulation, after njRAT got into the target device and began execution it instantly started its malicious activity. Usually, the initial file renames itself and creates a child process. Sometimes njRAT Trojan injects its code into legitimate processes such as RegSvcs.exe and RegAsm.exe.

The malware also has the ability to run itself through Task Scheduler. This child process executes the main malicious activity. Such activity includes stealing information, connecting to C2 servers and changing the autorun value in the registry to run itself when the operating system starts.

Distribution of njRAT

njRAT trojan uses quite a few attack vectors to infect its victims. For example, the malware is known to target Discord users as part of spam campaigns. In addition, leverage cracks and keygens in well-known software in order to trick users.

Another known distribution method was through a compromised website that tricked users into downloading a fake Adobe product update which in turn installed njRAT malware to the PC. Bladabindi was also featured in spam email campaigns. In this case, it was delivered to potential victims as a malicious attachment.

How to detect NJRAT using ANY.RUN?

To determine whether the sample under review is njRAT or not, you can take a look at the changes that it made in the registry. To do so, open "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created a key with the name [kl] into the path HKEY_CURRENT_USER\Software\32_characters_and_digits, you can be sure that the given sample is njRAT.

njrat registry changes Figure 3: Сhanges made by njRAT in registry

Conclusion

The relative ease of operation, multiple tutorials on how to set up this malware and very extensive information stealing feature set have made this RAT one of the most popular remote access trojans in the world.

Even though the peak of its activity was recorded in 2014 and targeted mostly the middle east and India, njRAT Trojan remains to be extremely popular today. This malware is known to have targeted both private and corporate victims and poses a lot of danger to internet users, especially considering that it can be delivered to potential victims in several ways, and preventing infection is much harder in some cases than in others.

Even though Bladabindi malware creators have taken several steps to hinder the analysis, malware hunting services like ANY.RUN allows professionals to easily study njRAT malware samples and share the research results with the world to improve global cybersecurity.

IOCs

IP addresses
193.161.193.99
3.22.53.161
156.218.6.42
45.77.68.17
3.138.180.119
80.82.68.21
185.19.85.159
3.128.107.74
3.131.147.49
3.136.65.236
3.133.207.110
79.134.225.19
3.138.45.170
82.202.167.205
185.63.190.190
13.59.15.185
3.22.15.135
143.176.6.227
3.134.39.220
3.134.125.175
Hashes
e173266e3d9af60add936ab2b0de936d1e35fa85556ea5c60bad7c75e818c4e3
2c5d7c8eec921e641c6e2d23faf406bed4ea1712075ba66abff75c40fa87f9d8
f01d6a802995fdcb093237f62ec174d7d688ba195a8e1e5eba7d03cf0bc19333
4f402840aa3b9dad7da9e6f728ac9f57794a69c20330e3fa9c66782ebcb1e7e2
f69bea7d0768929c4d63b2ffa1e1ff62da7df7b94397e61d67ea33548f1772d0
61f840f8afb18ca093d132d1035238c5d766f5e976008b5b63d18653034abb8c
63031b0b0c5e7fe4c364d98701d36e7887156a7408bb7ff4572da3435aec3bc2
e406788bd75168ab2e75f0800a5b6b92616be06f7191022c7ca8ebab0dcf3ae2
88166b966e5adbca391bbfa935efd6ab567d8974cecc73d4b5f17fc1d7f41b21
c6e975f78418a58c277079151178324a70ff8d08735adeac6fcf3c85f0e36e59
d19e536766c6c0b8d8f93acd01345488c40089ba6a5b4c321097376209b340ba
ae0cfda16ae51013fb26dbed65e1d8449dcb0c7d0ad70d2a0f951dea20c487f9
f37cf981e2b2787b1cc279661b4577dfbbf24497f43dfe2aaed9761d1a18f4b9
7650abb0159f4ca3f67cf7a4a85d53e8698f65c4893b7c96f4d5d1329622bce7
d0f6820bb78fa51da758d9fc3e3a925af500179b66ece8ea658520862819dd16
3293742df93141e86a9736662f4a6d311748e3040c72053394d2eefea44eacb1
9f85303b0e3c9d743ec2a9818b2a70e2fcae8b1fe0218f75693a9ddd822636ad
f529459f5c0bd6166967ec8d3da92542d13735f970d5f7a9ba8d22b4b8eff272
54201a1f1bbfb0b4f4356842d2d8bbdf80800d310b398ad6997eaa53c6a2ec24
83d7b38eb2482d39c537d4a8f7e4ff61c9744253b4f684775c9222253fa3a978
Domains
coodyz.site
data.pendo.io
susur2334.duckdns.org
2.tcp.ngrok.io
marsachant.ddns.net
dashboard.hopto.org
isns.net
4.tcp.ngrok.io
stats2.agilecrm.com
my.clickdesk.com
cswapper.freshcontacts.com
remygeek.ddns.net
mike101.duckdns.org
shellgang.dynu.net
api.bluecore.com
majul.com
javaservices.ddns.net
testingfisting.hopto.org
qatar1.ddns.net
zecookies412.ddns.net

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More