njRAT

In a brief explanation what is njRAT?

njRAT is a trojan which is used for remote access. When the virus once reaches and infects the end-point, attacker can have full control over the affected victim system. With this access attacker can scan the other systems in the victim network and try to affect them.

When the malware on the victim computer gets connects to the C2 server, the attacker will be able to perform functions like file management, execution of files, remote cam & desktop, process management, keylogger, passwords retrieval and builder through a njRAT GUI.

If an attacker wants to build new client on the victim which can be used in attack campaigns the attacker uses builder GUI. By using this builder attacker can configure details like C2 node IP and port, malware icon, client name and capabilities to spread via USB.

There are many variants of njRAT.

A basic example of variant with MD5 Hash : 1d3baedd747f6f9bf92c81eb9f63b34b and FileName: Authorization.exe

When the above malware is executed:

• It creates a copy of itself in below locations:
• %APPDATA%\msnco.exe
• C:\Documents and Settings\%USERNAME%\StartMenu\Programs\Startup\b6554e5bcfef391ff7a7ffda58092e10.exe
• It opens the file: [CWD]\Authorization.exe.config
• Adds the following registry locations for persistence.
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\b6554e5bcfef391ff7a7ffda58092e10
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\b6554e5bcfef391ff7a7ffda58092e10
• Change the following modifications to the registry to bypass the Windows Firewall:
• Key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\[%APPDATA%]\msnco.exe
• Value: [%APPDATA%]\msnco.exe:*Enabled:msnco.exe
• Beacons to the following C2 node over TCP port 1177:”217.66.231.245”

To make sure that the malware run in the system at the start up, the attacker tries to make a second copy into below folder.

C:\Documents and Settings\%USERNAME%\StartMenu\Programs\Startup\b6554e5bcfef391ff7a7ffda58092e10.exe

How is the user tricked to click the malware to execute? The attacker uses different icons for the malware to look like MS Word or PDF icons. Here a little of social engineering might help to learn about the victim to know which application the victim uses frequently.

When the malware is installed successfully and connected to the C2 node, it will send about victim’s system, open windows and launches GUI in the server.

This below is a sample of network traffic observed:

String “FM|’|’|“ and “nd|’|’|“indicates that C2 issued command related to File Manager and new directory. Victim’s Ip: 217.66.231.100 and port no used is 1264

FM|’|’|217.66.231.100:1264|’|’|~[endof]~[endof]FM|’|’|217.66.231.100:1264|’|’|!|’|’|QzpcO0ZpeGVk|’|’|QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xFeGFtaW5lclxEZXNrdG9wXDs=|’|’|QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xFeGFtaW5lclxNeSBEb2N1bWVudHNcOw==|’|’|QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xFeGFtaW5lclw7|’|’|QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xFeGFtaW5lclxTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXBcOw==|’|’|QzpcUHJvZ3JhbSBGaWxlc1w7|’|’|XDs=|’|’|QzpcV0lORE9XU1w7|’|’|QzpcV0lORE9XU1xzeXN0ZW0zMlw7|’|’|QzpcRG9jdW1lbnRzIGFuZCBTZXR0aW5nc1xFeGFtaW5lclxBcHBsaWNhdGlvbiBEYXRhXDs=|’|’|QzpcRE9DVU1FfjFcRXhhbWluZXJcTE9DQUxTfjFcVGVtcFw7[endof]!|’|’|Qzpc[endof]FM|’|’|217.66.231.100:1264|’|’|@|’|’|Qzpc|’|’|RG9jdW1lbnRzIGFuZCBTZXR0aW5ncw==;TGli;TVNPQ2FjaGU=;UERGU3RyZWFtRHVtcGVy;UGVybA==;UHJvZ3JhbSBGaWxlcw==;UHl0aG9uMjU=;UHl0aG9uMjY=;UHl0aG9uMjc=;UkVDWUNMRVI=;UnVieTE5Mw==;U3lzdGVtIFZvbHVtZSBJbmZvcm1hdGlvbg==;dGxz;V0lORE9XUw==;ezkzNjI4OTA2LUE2QUItNENFNC1BQzhCLUI0MkYwRThCRTc5N30=;[endof]@|’|’|Qzpc[endof]FM|’|’|217.66.231.100:1264|’|’|#|’|’|Qzpc|’|’|LnJuZDsxMDI0;QVVUT0VYRUMuQkFUOzA=;Ym9vdC5pbmk7MjEx;Q09ORklHLlNZUzsw;SU8uU1lTOzA=;TVNET1MuU1lTOzA=;TlRERVRFQ

1QuQ09NOzQ3NTY0;bnRsZHI7MjUwMDMy;cGFnZWZpbGUuc3lzOzgwNTMwNjM2OA==;VklSVFBBUlQuREFUOzI1MTY1ODI0;[endof]P[endof]P[endof]P[endof]P[endof]nd|’|’|QzpcbmpSQVRfRGlyZWN0b3J5X0NyZWF0ZWQ=[endof]

Like the above “FM|’|’|“ we can see the strings below for different activities such as below:

• Run File
• “rn|’|’|“
• Remote Desktop Window:
• “sc~|’|’|
• “scpk|’|’|“
• Remote Cam Window
• “CAM|’|’|“
• “USB Video Device[endof]”