Open in app

Sign in

Write

Sign in

Mastodon

njRAT: Technical Insights And Strategic Hunting Approaches

Ahmed Nosir
5 min readJan 29, 2024

--

Introduction:

njRAT (also known as Bladabindi). This remote access Trojan (RAT) has been a significant cyber threat since its inception in 2012. Its widespread adoption escalated following the leak of its source code in 2013, making it a favored tool among both sophisticated cybercriminals and novice hackers.

In 2023, a few njRAT variants are circulating in the wild:

  • njRAT Lime Edition
  • njRAT 0.7d Green Edition
  • njRAT 0.7d Golden Edition

Detailed Evolution and Reach of njRAT:

Originating as a tool targeting organizations in the Middle East, njRAT has evolved to deliver its payload via multiple vectors. These include weaponized documents in phishing campaigns, masquerading as legitimate software on file-sharing sites, and drive-by downloads. Once inside a system, njRAT’s capabilities are extensive: keystroke logging, screenshot capturing, password stealing, comprehensive data exfiltration, and commandeering web cameras and microphones.

Another known distribution method was through a compromised website that tricked users into downloading a fake Google Chrome update as we will cover in our sample which in turn installed njRAT malware to the PC. Bladabindi was also featured in spam email campaigns. In this case, it was delivered to potential victims as a malicious attachment.

In-Depth Technical Analysis and Deobfuscation:

njRAT, built using the Microsoft .NET framework, can be intricately analyzed using tools like dnSpy and Ollydbg, especially when it’s packed

For this section, let’s delve into the technical deconstruction of a recent njRAT sample, sourced from the AnyRun platform. This example will demonstrate the process using dnSpy, a powerful .NET decompiler and debugger.

DnSpy Unpacking Process:

Upon examining the main function, it’s evident that the .NET application is packed using mpress. This observation is crucial as it helps to understand the mechanism at the application’s main entry point post-unpacking. The code structure reveals the steps followed once the application is decompressed and loaded into memory, providing insights into how the application initializes after the unpacking process.

By strategically placing a breakpoint _.mp =Assembly.Load(rawAssembly); within the DnSpy debugger, we can intercept the moment just before the actual executable is loaded into memory. This step is crucial as it enables us to access the byte[] rawAssembly variable, which holds the decrypted assembly. Once the breakpoint is hit, we can inspect the local variables to locate this array. By doing so, we effectively capture the unpacked version of the .NET application, which can then be saved to a local location for in-depth analysis. This method is essential for revealing the true nature of the executable concealed by mpress packing.

Right-click and save this array to effectively dump the deobfuscated assembly

The malware’s functionality is contained in the “OK” class. This class also contains the hardcoded configuration information used by the RAT. For example, the configuration for this particular njRAT sample indicates that it was created with the njRAT builder version 0.7 Golden edition

While some configuration details in the njRAT sample may still be obfuscated, these can be unraveled by using the debugger to trace encoding functions or decryption routines. By carefully following the execution flow within the debugger, any obscured or encrypted configuration settings can be effectively revealed and analyzed.

Persistence:

For persistence, the malware creates an autorun key in the registry to execute with each boot of the system.

C2 Connection

As highlighted earlier, njRAT offers a classic set of functionality for remote-access trojans

Its capabilities become evident through the Control and Command (C2) panel, which provides a comprehensive suite of functions for system manipulation and surveillance. Here’s a detailed look at each function:

Strategies for Hunting and Mitigating njRAT:

  1. Network Monitoring: Look for unusual outbound traffic, especially to known njRAT C2 servers.
  2. Anomaly Detection: Implement heuristic-based detection to identify atypical behavior in systems that could indicate RAT activity.
  3. Regular Audits: Conduct frequent system audits for unfamiliar registry keys, files, and processes.
  4. Sandbox Analysis: Use sandbox environments to analyze suspected njRAT files safely.
  5. consider the relevant data endpoint telemetry sources such as:
  • Process Execution & Command Line Logging
  • Windows Security SACL Event ID, Sysmon, or any Common Information Model compliant EDR technology
  • Windows Security Event Log
  • Windows System Event Log
  • Windows PowerShell Script Block Logging

Conclusion:

The sophisticated nature of njRAT demands constant vigilance and up-to-date cybersecurity measures. Understanding its technical intricacies and employing proactive hunting strategies are key to defending against this enduring cyber threat. As njRAT continues to evolve, staying abreast of the latest trends and protective measures remains crucial in the fight against this formidable malware

Malware
Njrat
Threat Intelligence
Threat Hunting
Malware Analysis

--

--

Ahmed Nosir

Written by Ahmed Nosir

58 Followers

Cyber security Consultant · SOC Lead · Red/Blue Team Enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams