njRAT Malware (Remote Access Trojan) Analysis 2024

njRAT Malware

March 08, 2024

In the malware world, being an old-timer is not a disadvantage. Being able to keep up for years in such a variable environment says a lot about the flexibility of the threat and the foresight of its developers. njRAT keeps stomping the world for over a decade – and is not likely to stop.

njRAT is a remote-access trojan active since 2012. Despite its age, it remains among top-10 most widespread threats (exactly, #8) and keeps getting updates, which adjust its capabilities to modern trends. It is best known for its spreading campaigns that aimed at users of popular messengers and social media, like Facebook or Discord. Additionally, it can perform self-spreading by infecting USB drives plugged in an infected computer.

njRAT Activity Over the Last 2 Month

Key functionality of njRAT touches, obviously, providing remote access. The malware is able to execute remote shell commands, upload and download files, capture screenshots and keystrokes, and even access the camera/microphone. There are also some stealer-like functionality – njRAT can grab credentials from web browsers and desktop cryptocurrency apps.

Throughout its long activity history, njRAT was associated with a whole lineup of different threat actors. For instance, it was in a particular favuor of Middle Eastern and Asian threat actors – particularly APT41 (China) and APT36 (Pakistan). Though, this appears to be one of the reasons for njRAT’s long life. Another RAT known as PlugX was used by the same APT41 and TA459, and remains active to these days despite its first activity detected in 2008.

Aside from its “born” name, njRAT is also known as Bladabindi – the name of Microsoft Defender’s detection assigned to this malware family. Usually, Microsoft uses specific names to denote detections of malware that belong to widespread families – Trojan:Win32/QakBot for QakBot, Backdoor:Win32/Smokeloader for Smokeloader, and the like. But njRAT appears to be an exclusion, and nowadays, its original name is used interchangeably with Bladabindi.

Versions of njRAT

The lifespan of more than decade obviously gave birth to a number of variants of this malware. Their versioning system is rather odd, so don’t seek any logic in version numbers. In 2023, there are four njRAT variants circulating in the wild:

• njRAT Lime Edition
• njRAT 0.7d Golden Edition
• njRAT 0.7d Green Edition
• njRAT 0.7d Golden Edition

The difference in functionality is unremarkable, while builder and the C2 panel interface is the main place where these variants differ. They range from minimalistic to ASCII-styled and even one with a weird dragon painting.

njRAT Spreading Mechanisms

Throughout its long history, njRAT was opting for quite common spreading strategies – email spam or injection with the help of loaders. Email spam has been reigning as a spreading method for the vast majority of malware types for almost 5 years. Even after the introduction of restrictions to the most popular injection vectors, the method is easily adjusted and keeps running.

More modern methods include fake software installers that are spread on websites that copy genuine downloading pages for this software. Such forged pages are commonly promoted via search result ads hijacking. As promoted pages appear on top of search results, users often click on them and treat them as legitimate. Usually, such pages and ads exist for a short period of time – until the flow of reports to the hosting and search engine, though it is still enough to infect hundreds of users.

However, some original tactics emerge time-to-time – for instance, in 2016 this malware targeted Discord users with a sophisticated spam campaign. Hackers were gaining trust of users of a channel, to then send them a link to malware downloading or even an exact file – under the guise of a legit app. Alternative attack vectors included spam on social media from hijacked accounts. Sure, such methods require much more effort, but their effectiveness is worth it.

Analysis of njRAT/Bladabindi

When it comes to the analysis of njRAT, things are getting slightly different from what we used to see in other malware types and families. Malware comes with its own builder, a software that allows to configure the payload to the needs of a particular case. Hackers can choose from and change the following categories:

• Name of the malware’s .exe file
• Registry startup key creation
• Startup instance creation
• Directory of the malware in the target system
• Host IP-address and a network port
• Victim name
• Peak size of malware logs
• Icon of the malware file
• Process protection

Such a thin setup allows njRAT to circumvent most of the static checks from antivirus programs. However, it is not enough to evade runtime analysis, i.e. heuristic detection systems. For this case, the malware uses multiple .NET obfuscators (malware itself is based on .NET as well). This makes the code particularly hard to analyse and understand to both humans and machines.

Upon execution, the malware follows the instructions that were built in during the setup in the builder. If specified, njRAT creates its instance in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. Registry manipulations consist of creating the key with a weird name “[kl]” in a HKEY_CURRENT_USER\Software\32 hive with the value of a random set of chars and digits.

When the “installation” part is sorted out, alware pings the command server, and a new connection appears on the panel. From that moment, the malware master can choose from a wide range of actions to do with the infected machine.

Functionality Overview

As we mentioned in the introduction, njRAT offers a classic set of functionality for remote-access trojans, with some other “pleasant” features. Let’s review them one by one.

The first functionality seen on the C2 panel is the list of system properties. With the initial ping package, malware sends the PC name, IP address of the target system and ping, OS, country, and status. Click on the listed system opens the list of other actions:

Among unlisted, but definitely present functions of njRAT are taking screenshots of the infected system's main screen and specific windows. This, however, may be less useful when there is the ability to create a remote connection that grants control over the computer.

We also want to disclose the Get Passwords function with more details. Obviously, it was not an initial function of this malware and was added with the progression of other malware functionality. njRAT is capable of extracting cookies from Chrome and Chromium-based browsers, along with Bitcoin wallets. Unlike more modern malware families, this threat probably isn't trying to be all-in-one – a remote-access trojan, a dropper and a stealer.

How to protect against njRAT malware?

Since njRAT mostly shares spreading ways with other malware, methods of preventive counteration are the same. Raising awareness of the most popular patterns in email spam among your personnel is essential – this trick alone can drastically reduce the chance of a successful phishing attack.

Other attack vectors, that rely on spear phishing, are less common and generally aim at home users. There, it can be much harder to distinguish fraud among genuine users and their posts. That is actually the reason why you can see advice to distrust any files from chats and social media: you can rarely be sure about the person who sent it. Checking such files on online scanners like GridinSoft Free Online Virus Checker is essential.

Another protection vector mostly consists of different shades of anti-malware and antivirus protection. Malware protection solutions serve as a keeper for the cases when a malicious file manages to get into your system. A well-designed anti-malware program with advanced heuristic and ML-based protection systems will easily detect and stop threats like njRAT. GridinSoft Anti-Malware is one with such features – try it out.

njRAT Malware IoC 2024