njRAT

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Type
Trojan
Origin
Middle East
First seen
1 January, 2013
Last seen
21 May, 2022
Also known as
Bladabindi
Njw0rm
Global rank
2
Week rank
4
Month rank
2
IOCs
27886

What is njRAT Malware?

njRAT, also called Bladabindi and Njw0rm is a remote access trojan that is used to remotely control infected machines. Because of its availability, excess of online tutorials, plenty of information, and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

This malware was detected for the first time in 2013, however, some related RATs have been observed by researchers in 2012. The highest surge of njRAT trojan attacks was recorded in 2014 in the middle east, which is the most targeted region for this malware.

General Information about njRAT

njRAT trojan is built on the .NET framework. This RAT gives hackers the ability to control the victim’s PC remotely. njRAT allows attackers to activate the webcam, log keystrokes, and steal passwords from web browsers as well as multiple desktop apps.

In addition, the malware gives hackers access to the command line on the infected machine. It allows to kill processes as well as remotely execute and manipulate files. On top of that, njRAT is capable of manipulating the system registry. When infected, Bladabindi trojan will collect several bits of information about the PC that it got into, including the name of the computer, operating system number, country of the computer, usernames, and OS version.

Also, this malware is able to target cryptocurrency wallet applications and steal cryptocurrency from PCs. For example, it is known to be able to grab bitcoins and even access credit card information which sometimes can be stored in crypto apps as a means to purchase cryptocurrency.

After infecting a computer the malware uses a variable name and copies into %TEMP%, %APPDATA%, %USERPROFILE%,%ALLUSERSPROFILE% or %windir% – a behavior not uncommon for this time of malware. It can also copy itself into <any string>.exe, to ensure that it will be activated every time the victim switches on their computer.

njRAT trojan has a few tricks up its sleeve to avoid detection by antivirus software. For example, it uses multiple .NET obfuscators to obstruct its code. Another technique that the malware uses is disguising itself into a critical process. This does not allow the user to shut it down. It also makes njRAT hard to remove from the infected PCs. Bladabindi RAT can also deactivate processes that belong to antivirus software, allowing it to stay hidden. njRAT also knows how to detect if it has been run on a virtual machine which helps the attackers to set up countermeasures against researchers.

Authors of Bladabindi are leveraging Pastebin to avoid investigation by cybersecurity researchers. njRAT downloads additional components and executes secondary-stage payloads from Pastebin. So, the malware has no need to establish a traditional command-and-control (C2) server. The Pastebin creates a pathway between njRAT infections and new payloads. With the trojan acting as a downloader, it will grab encoded data dumped on Pastebin, decode, and deploy.

For spreading, njRAT can detect external hard drives connected via USB. Once such a device is detected, the RAT will copy itself onto the connected drive and create a shortcut.

Who created njRAT?

Creators of njRAT are members of an underground hacker community named Sparclyheason. Evidently, they have created a very popular and destructive malware. njRAT was classified as “severe” by Microsoft Malware Protection Center.

In fact, following a large malicious campaign in 2014, Microsoft shut down four million websites in an effort to filter traffic that was going through no-ip.com domains.

njRAT malware analysis

ANY.RUN allows researchers to watch the njRAT in action in an interactive sandbox simulation.

njRAT execution process graph

Figure 1: Displays the lifecycle of njRAT in a visual form as a process graph generated by ANY.RUN malware hunting service

text report of the njRAT malware analysis

Figure 2: A customizable text report generated by ANY.RUN allows to take an even deeper look at the malware and helps to share the research results

njRAT execution process

In our simulation, after njRAT got into the target device and began execution it instantly started its malicious activity. Usually, the initial file renames itself and creates a child process. Sometimes njRAT trojan injects its code into legitimate processes such as RegSvcs.exe and RegAsm.exe.

The malware also has the ability to run itself through Task Scheduler. This child process executes the main malicious activity. Such activity includes stealing information, connecting to C2 servers, and changing the autorun value in the registry to run itself when the operating system starts.

Distribution of njRAT

njRAT trojan uses quite a few attack vectors to infect its victims. For example, the malware is known to target Discord users as part of spam campaigns. In addition, leverage cracks and keygens in well-known software in order to trick users. It installs malicious packages to infect the machine.

Another known distribution method was through a compromised website that tricked users into downloading a fake Adobe product update which in turn installed njRAT malware to the PC. Bladabindi was also featured in spam email campaigns. In this case, it was delivered to potential victims as a malicious attachment.

In October 2020 mailspam used the 'shipment tracking' theme, faking popular courier and postal services. Malicious packages contain attachments in Zip format with an encoded Visual Basic script (VBE) payload and components.

Moreover, crooks use cloud-based storage platforms more often. Attackers host malicious files there to deliver malicious software, and even use them as part of a command and control (C&C) architecture. That is why it's crucial to know general malware removal instructions and analyze viruses in a safe environment.

How to detect NJRAT using ANY.RUN?

To determine whether the sample under review is njRAT or not, you can take a look at the changes that it made in the registry. To do so, open the "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created a key with the name [kl] into the path HKEY_CURRENT_USER\Software\32_characters_and_digits, you can be sure that the given sample is njRAT.

njrat registry changes Figure 3: Сhanges made by njRAT in registry

Conclusion

The relative ease of operation, multiple tutorials on how to set up this malware, and very extensive information stealing feature set have made this RAT one of the most popular remote access trojans in the world.

Even though the peak of its activity was recorded in 2014 and targeted mostly the middle east and India, the njRAT trojan remains to be extremely popular today. This malware is known to have targeted both private and corporate victims and poses a lot of danger to internet users, especially considering that it can be delivered by packages to potential victims in several ways, and preventing infection is much harder in some cases than in others.

Even though Bladabindi malware creators have taken several steps to hinder the analysis, malware hunting services like ANY.RUN allows professionals to easily study njRAT malware samples or other RATs like Orcus RAT or WSHRAT and share the research results with the world to improve global cybersecurity.

IOCs

IP addresses
3.22.53.161
138.197.189.80
37.1.217.131
82.202.167.67
1.1.1.1
45.134.140.167
147.185.221.229
185.204.1.236
35.157.111.131
194.147.140.17
23.237.25.174
172.94.18.243
192.169.69.26
192.169.69.25
3.124.67.191
5.129.36.73
3.13.191.225
52.28.112.211
3.22.30.40
79.134.225.82
Hashes
d43d5da30c2ee10e5453e6eb8e8d6d94ced0efc0129cf8b3608cac178da7b033
f32e2869c5893ac161005eb811fa5b274f82ef12c1b33cf0000b00bcf11aa51b
c1ad8dbeab60eff02fb64b2db549827bb2ff56e1f823ba47545a83751e8d9e70
6c4e0f1020b96228bcd6ceb45db715b4c8f27d535ae2fcc1e1d1c1c99bd2eadf
89b3b20532608dccc68d074b53f52a745661a33a8bb0374a2ad0755165f90a82
037d170de4ca3cc1d1053464ef7256f56cae1db21a5e93ac7a224e14d18384b3
2a1d087a9eb4c7b02a77d8002383c15b6afb4be22a1904fd33695ec58f4cb9c2
bf36d1476b15ea8f427e14b5275f84832bc3a4e099ac017b5cc6338797d210a9
b03610affe0e6c466215fc4fc679f5e52e316a976b1fc54096936fce3cae3e63
40117f1cae4ed67311dbd3bcb55c5b2164b29e264269a401c1701a8f0e2893e0
9d2cbc7c4473f5214a329809a4c6f088316c283f227e9598233b49e11e8a3892
022dfbf42ac00f345a7f9314a4fefd03f072e26fc38e701d323fed38d5fc3313
beb720364ce39b58d25c57cc57683ef5134d99db97c59b7ec9317c4c46e24519
c44a46bce883b04f6a1b71b8da453091a2cde8ed397d21beffb88e7cbf2a1176
bb8feb596b3738d215beec88a943a5f1b4dee11c817de9ad8d366163501945e4
faa6970d520931fbcf337e3f3aadfbf28bb4e7be36c789138d10154284ef446d
4a867b1ac66ba302b4ff774d1122c903de225d5f65101ec70ff4cf4c082e528c
f8b1a3677066943755c5c1bff92fe78ad58436825e1da6266e8fc56c4f23284c
097e54a26652d54ec636f7e9a303974f882c6c090ca7531ee65d7cadfdd865dc
0a9a8f283f2cbe68fecd12991bd75662d3e60b1db10f30ed99539c252703a2ee
Domains
googleapis2m.duckdns.org
googleapis2.duckdns.org
susur2334.duckdns.org
2.tcp.ngrok.io
WindowsAuthentication324-49629.portmap.host
lime.portmap.host
maska555.hopto.org
booking.msg.bluhotels.com
booking.msg.bluhotels.com
ticket.ipv10.eu
3jkpvk2m8y.dattolocal.net
involved-stars.at.playit.gg
7.tcp.eu.ngrok.io
bitrat9300.duckdns.org
dan9400.duckdns.org
mirroronthewall.hopto.org
zzzpmax.ddns.net
1204abril.duckdns.org
update.drp.su
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More