On June 27, 2013 we released a paper on the njRAT malware threat. Today, we wanted to share two Yara rules we created to detect this threat. These rules appear to properly detect the base njRAT malware built from the CnC Server GUI and its associated network traffic. It has been tested against the following versions of njRAT: 0.3.5, 0.3.6, 0.4.1, and 0.5.0.
Please note that not all the njRAT malware samples mentioned in our research paper will be detected with the "win_exe_njRAT" rule since we decided not to create fingerprints for generic packers in order to prevent false hits. Please feel free to let us know if you encounter a false hit with these Yara rules:
In the past thirty days (30) an increase attack activity has been observed using the "njRAT" malware. This remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.
"njRAT" is currently leveraged by advanced threat actors in the Middle East, in particular when delivered via HTTP (i.e. Phishing attack or Drive-by download). It has also been observed that attackers are delivering "njRAT" embedded in other applications (i.e. L517 v.0.994 Word List Generator), and compressed with EZIRIZ .NET Reactor/.NET protector. Obfuscation with the use of compressors or protectors is a technique used by attackers to prevent detection by network-based and host-based security defenses.
We have observed the majority of the attacks leveraging "njRAT" to be against organizations based in or focused on the Middle East region in the government, telecom, and energy sectors. However as this is a publicly available tool it can be attained and deployed with ease regardless of location or industry.
During the analysis of "njRAT", it was observed that some of the top antivirus vendors were not currently detecting some variants of this threat.
Some of the file names of carrier files or njRAT samples observed were: L517 v0.994.exe, RealUpgrade.exe, password hotmail cracker 2013.exe, elisa.exe, Crack All Games.exe, fresh cc cvv all info 2013_txt.scr, spoolsv.exe, Hack Origin Game's.exe, Authorization form may - 2013 - 115444.scr, and Authorization.exe.
This document will provide detailed information about the njRAT's functionality, file system indicators, network indicators, some of the campaign IDs observed, MD5 hashes, and domains. It will also go over a detailed analysis of one of the malware variants.
It seems like there is a kit for everything these days. There are first aid kits, cooking kits, car repair kits, even applications such as web kits. What type of kit is out there for the World Wide Web? Do you even need a kit, and if so what should be in it?
Sophisticated malicious files entering today’s networks are not your grandma’s malware. Brick and mortar criminals of the past have moved onto the open range of the Internet, relying on the anonymity provided and safety of non-extradition countries to shield themselves from law enforcement. Nation states are also upping the game by constantly competing in this generation’s cold war, inserting back doors into critical infrastructures around the world. With so many parties focused on infection and owning networks, the prevalence of neigh undetectable malware, and push-button tools to craft malicious files and encrypted command and control tunnels has sky rocketed.