Having been compromised via one of the various delivery methods, njRAT victim machines will call home to the threat actor’s command and control (C2) server. Once downloaded, njRAT is decoded and decrypted prior to being injected into a legitimate process and launched.
This tactic reduces the likelihood of blocking or detection, especially given the use of a legitimate service often utilized within the enterprise and appearing as a benign filetype that might not normally be subject to inspection. To evade detection, an encoded, obfuscated and potentially encrypted njRAT payload masquerading as an image file is hosted on a legitimate file-sharing service, such as Dropbox or Microsoft OneDrive.
Upon execution, the legitimate installation proceeds in the foreground whilst Visual Basic and PowerShell scripts, or an executable, are dropped into the victim’s ‘Startup’ directory for persistence and launched to download the njRAT payload. Masquerading as a legitimate applications installer uploaded to file-sharing services, victims inadvertently downloading content from unofficial sources risk received njRAT alongside their desired application. Subsequently, the VBE payload downloads the njRAT executable from a hard-coded URL, saved within the victim’s ‘Startup’ directory for persistence, before being launched. Having been lured into opening the attachment, the VBE payload sends a ten character random string via a HTTP POST to a command and control (C2) server that responds with base64 data that, along with the random string, is saved in a Windows registry key.
Malicious unsolicited email (malspam) campaigns culminating in the installation of njRAT were observed during October 2020 as utilizing a common ‘shipment tracking’ theme, mimicking popular courier and postal services, to deliver a Zip-compressed archive attachment containing an encoded Visual Basic script (VBE) payload. Furthermore, reinforcing the adage that there is no ‘honour among thieves’, weaponized versions of malicious tools, possibly including the RAT itself, and copyright-infringing downloads, such as those obtained via peer-to-peer file sharing networks, have been used to deliver njRAT to other unscrupulous individuals.
Often indiscriminately targeting individuals and organizations, njRAT has been observed as delivered via malicious unsolicited email (malspam) campaigns as well as within weaponized versions of legitimate software.
Undoubtedly following the source code leak, reportedly in May 2013, njRAT has become widely available on the cybercriminal underground with numerous variants being released over the years.Īs is to be expected from any popular RAT threat, njRAT targets Microsoft Windows-based systems with common capabilities including: First identified as active in November 2012, ‘njRAT’, also known as ‘Bladabindi’ or ‘Njw0rm’, is a well established and prevalent remote access trojan (RAT) threat that was initially created by a cybercriminal threat group known as ‘Sparclyheason’ and used to target victims located in the Middle East.