1. Home
  2. Software
  3. njRAT

njRAT

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[1]

ID: S0385
Associated Software: Njw0rm, LV, Bladabindi
Type: MALWARE
Platforms: Windows
Version: 1.6
Created: 04 June 2019
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
Njw0rm

Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.[2] Other sources contain that functionality in their description of njRAT itself.[1][3]
LV

[1]
Bladabindi

[1][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

njRAT has a module that steals passwords saved in victim web browsers.[1][3][4]
Enterprise T1005 从本地系统获取数据

njRAT can collect data from a local system.[1]
Enterprise T1112 修改注册表

njRAT can create, delete, or modify a specified Registry key or value.[1][3]
Enterprise T1568 .001 动态解析: Fast Flux DNS

njRAT has used a fast flux DNS for C2 IP resolution.[3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

njRAT has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\ and dropped a shortcut in %STARTUP%.[1][3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

njRAT has executed PowerShell commands via auto-run registry key persistence.[3]
.003 命令与脚本解释器: Windows Command Shell

njRAT can launch a command shell interface for executing commands.[1]
Enterprise T1120 外围设备发现

njRAT will attempt to detect if the victim system has a camera during the initial infection. njRAT can also detect any removable drives connected to the system.[1][3]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

njRAT has modified the Windows firewall to allow itself to communicate through the firewall.[1][3]
Enterprise T1113 屏幕捕获

njRAT can capture screenshots of the victim’s machines.[3]
Enterprise T1071 .001 应用层协议: Web Protocols

njRAT has used HTTP for C2 communications.[3]
Enterprise T1010 应用窗口发现

njRAT gathers information about opened windows during the initial infection.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

njRAT uses Base64 encoding for C2 traffic.[1]
Enterprise T1083 文件和目录发现

njRAT can browse file systems using a file manager module.[1]
Enterprise T1106 本机API

njRAT has used the ShellExecute() function within a script.[3]
Enterprise T1012 查询注册表

njRAT can read specific registry values.[3]
Enterprise T1027 .004 混淆文件或信息: Compile After Delivery

njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.[3]
.013 混淆文件或信息: Encrypted/Encoded File

njRAT has included a base64 encoded executable.[3]
Enterprise T1070 .004 移除指标: File Deletion

njRAT is capable of deleting files.[1][3]
.009 移除指标: Clear Persistence

njRAT is capable of manipulating and deleting registry keys, including those used for persistence.[3]
Enterprise T1082 系统信息发现

njRAT enumerates the victim operating system and computer name during the initial infection.[1]
Enterprise T1033 系统所有者/用户发现

njRAT enumerates the current user during the initial infection.[1]
Enterprise T1125 视频捕获

njRAT can access the victim's webcam.[1][4]
Enterprise T1105 输入工具传输

njRAT can download files to the victim’s machine.[1][3]
Enterprise T1056 .001 输入捕获: Keylogging

njRAT is capable of logging keystrokes.[1][3][4]
Enterprise T1057 进程发现

njRAT can search a list of running processes for Tr.exe.[3]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

njRAT has a module for performing remote desktop access.[1]
Enterprise T1018 远程系统发现

njRAT can identify remote hosts on connected networks.[1]
Enterprise T1041 通过C2信道渗出

njRAT has used HTTP to receive stolen information from the infected machine.[3]

Enterprise T1091 通过可移动媒体复制

njRAT can be configured to spread via removable drives.[1][3]
Enterprise T1571 非标准端口

njRAT has used port 1177 for HTTP C2 communications.[3]

Groups That Use This Software

ID Name References
G0134 Transparent Tribe

[5]
G0043 Group5

[4]
G0143 Aquatic Panda

[6]
G0096 APT41

[7]
G0140 LazyScripter

[8]
G0078 Gorgon Group

[9]
G1018 TA2541

[10][11]

Campaigns

ID Name Description
C0005 Operation Spalax

[12]

References

  1. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  2. Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019.
  3. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  4. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  5. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  6. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  1. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  2. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  3. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  4. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  5. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  6. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.