njRAT

njRAT, also called Bladabindi and Njw0rm is a remote access trojan which is used to remotely control infected machines. Because of its availability, excess of online tutorials and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

  • Type
    Trojan
  • Origin
    Middle East
  • First seen
    1 January, 2013
  • Last seen
    22 November, 2019
Also known as
Bladabindi
Njw0rm
Global rank
13
Week rank
7
Month rank
9
IOCs
1675

What is njRAT Malware?

njRAT, also called Bladabindi and Njw0rm is a remote access trojan which is used to remotely control infected machines. Because of its availability, excess of online tutorials and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

This malware was detected for the first time in 2013, however, some related RATs have been observed by researchers in 2012. The highest surge of njRAT Trojan attacks was recorded in 2014 in the middle east, which is the most targeted region for this malware.

General description of njRAT

njRAT is built on .NET framework. This RAT gives hackers the ability to control the victim’s PC remotely. njRAT allows attackers to activate the webcam, log keystrokes and steal passwords from web browsers as well as multiple desktop apps.

In addition, the malware gives hackers access to the command line on the infected machine. It allows to kill processes as well as remotely execute and manipulate files. On top of that, njRAT is capable of manipulating the system registry. When infected, Bladabindi Trojan will collect several bits of information about the PC that it got into, including the name of the computer, operating system number, country of the computer, usernames and OS version.

Also, this malware is able to target cryptocurrency wallet applications and steal cryptocurrency from PCs. For example, it is known to be able to grab bitcoins and even access credit card information which sometimes can be stored in crypto apps as a means to purchase cryptocurrency.

After infecting a computer the malware uses a variable name and copies into %TEMP%, %APPDATA%, %USERPROFILE%,%ALLUSERSPROFILE% or %windir% – a behavior not uncommon for this time of malware. It can also copy itself into <any string>.exe, to ensure that it will be activated every time the victim switches on their computer.

njRAT has a few tricks up its sleeve to avoid detection by antivirus software. For example, it uses multiple .NET obfuscators to obstruct its code. Another technique that this malware uses is disguising itself into a critical process. This does not allow the user to shut it down. This also makes jn RAT hard to remove from infected PCs. Bladabindi RAT can also deactivate processes that belong to antivirus software, allowing it to stay hidden. njRAT also knows how to detect if it has been run on a virtual machine which helps the attackers to set up countermeasures against researchers.

For spreading, njRAT can detect external hard drives connected via USB. Once such a device is detected, the RAT will copy itself onto the connected drive and create a shortcut.

Who created njRAT?

Creators of njRAT are members of an underground hacker community named Sparclyheason. Evidently, they have created a very popular and destructive malware. njRAT was classified as “severe” by Microsoft Malware Protection Center.

In fact, following a large malicious campaign in 2014, Microsoft shut down four million websites in an effort to filter traffic which was going through no-ip.com domains.

Interactive analysis of njRAT

ANY.RUN allows researchers to watch the njRAT in action in an interactive sandbox simulation.

njRAT execution process graph

Figure 1: Displays the lifecycle of njRAT in a visual form as a process graph generated by ANY.RUN malware hunting service

text report of the njRAT malware analysis

Figure 2: A customizable text report generated by ANY.RUN allows to take an even deeper look at the malware and helps to share the research results

njRAT execution process

In our simulation, after njRAT got into the target device and began execution it instantly started its malicious activity. Usually, the initial file renames itself and creates a child process. Sometimes njRAT Trojan injects its code into legitimate processes such as RegSvcs.exe and RegSvcs.exe.

The malware also has the ability to run itself through Task Scheduler. This child process executes the main malicious activity. Such activity includes stealing information, connecting to C2 servers and changing the autorun value in the registry to run itself when the operating system starts.

Distribution of njRAT

njRAT uses quite a few attack vectors to infect its victims. For example, the malware is known to target Discord users as part of spam campaigns. In addition, leverage cracks and keygens in well-known software in order to trick users.

Another known distribution method was through a compromised website which tricked users into downloading a fake Adobe product update which in turn installed njRAT malware to the PC. Bladabindi was also featured in spam email campaigns. In this case, it was delivered to potential victims as a malicious attachment.

How to detect NJRAT using ANY.RUN?

To determine whether the sample under review is njRAT or not, you can take a look at the changes that it made in the registry. To do so, open "Advanced details of process" of the malicious process and look at the "Registry changes" tab in the "Events" section. If a process has created a key with the name [kl] into the path HKEY_CURRENT_USER\Software\32_characters_and_digits, you can be sure that the given sample is njRAT.

njrat registry changes Figure 3: Сhanges made by njRAT in registry

Conclusion

The relative ease of operation, multiple tutorials on how to set up this malware and very extensive information stealing featureset have made this RAT one of the most popular remote access trojans in the world.

Even though the peak of its activity was recorded in 2014 and targeted mostly middle east and India, njRAT Trojan remains to be extremely popular today. This malware is known to have targeted both private and corporate victims and poses a lot of danger to internet users, especially considering that it can be delivered to potential victims in several ways, and preventing infection is much harder in some cases than in others.

Even though Bladabindi malware creators have taken several steps to hinder the analysis, malware hunting services like ANY.RUN allow professionals to easily study njRAT malware samples and share the research results with the world to improve the global cybersecurity.

IOCs

IP addresses
186.82.241.203
192.169.69.25
18.223.41.243
3.19.3.150
92.240.245.174
185.140.53.85
181.58.132.31
181.58.154.33
85.214.28.174
3.17.202.129
103.139.45.248
79.134.225.85
3.19.114.185
79.134.225.105
79.134.225.70
193.161.193.99
87.117.235.116
79.134.225.73
89.132.106.28
199.195.250.222
Hashes
da50f95c714ce89290dc15d1b7e257bc77e0589d1481114d9a5d69f089ebd178
be89e662c1102c18926963cc205cb12998a4aaeccdb28ca02300452618087ff8
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
d4bbf88f3136a420e0f211d9457b45eeba1199d2d3197af6c9ed3e301bd54abe
b4897d4d2001e60c57b0ce705831f09ef0619bb2c7b5f912e6edf82d4a175376
6b555802c929369d7e70379213625e44cc8da9bd94aa9fbae19f1b767ad975d6
19b1a4cf6fe08668ed89fdf0f521aca6dfd87c471f89e93aa025b6b5f8bd82fa
a2e8dba8539bcb4b9670cfecec86cc4a397e44f1eeb7dd656076a6edf46f0a8c
a0b7a3a16043a997d13be78e997ca2fcccb948fcbf547543b9e4d076ea6fb489
26c0345f3a7c5e54eb7a27bffda60286f1707f048d469e81ebf70a836ea42835
fa514641211bd94c7e273994327572100467a2e0f5bf0e6556d390724223843e
3e200b85ebe299afa1a7cc364a40b854b51b49c8f6c43d71e0e2fcfe7697a50e
4ae64ff35cf686919a81a81675514df0a255e237e3f288ef460100644d71f8e0
b767df85ea1fc9143f4db3c67136d2fcc417d3bb7b950d10e923a68be7da36ca
ec894166e1d098d6c8022acdbeece849369633509183a3e5e47ebe38c755f508
b6044612bde5030fed885923200e2e4225affa36537f41d3de23c9547e306085
be959b67d8cc85c244c01e82429afdf1f3cadae1189efeb6dd7185f7227f8e6a
63f21e248f2946030353157e16dc9810827539d74a46b88f9750c5c59a37a00f
1d7d0de53b611ab907eb9fe96d94a47000f63bd760a16699c7ec0a8becab59e3
76e4494a8c254ad572b4f8f54496b57f5d4ce36d5bf94d46029106dc94bfac75
Domains
log.ncaudienceexchange.com
majul.com
cswapper.freshcontacts.com
xserver.mr-alex.be
isns.net
cayenasserver.duckdns.org
becerrilserver.duckdns.org
www.evite.com
tracking.reactful.com
visitor.reactful.com
app.raaft.io
elx01.knas.systems
my.clickdesk.com
static.leadpages.net
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org
jfcolombia001.duckdns.org
office365update.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More