ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool njRAT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: njRAT

NamesnjRAT
Bladabindi
Jorik
CategoryMalware
TypeBackdoor, Keylogger, Credential stealer, Info stealer, Downloader, Exfiltration
Description(Carbon Black) njRAT is a Remote Access Trojan (RAT) that will silently collect and steal sensitive information such as login credentials. It can also perform keylogger monitoring, remote desktop control, installing additional malicious software, and many other malicious activities on the victim’s computer. In addition, njRAT is still a malware family that is being actively distributed via various methods such as spear-phishing, malvertising, exploit kits and other techniques. Figure 1 shows a screenshot for the njRAT Panel Menu.

Depending on the configuration taken from the attackers in njRAT panel, the features it provided can be used to perform malicious activities such as stealing sensitive data/information, disabling security software, install additional malicious payload to the victim’s computer and many more harmful actions. Upon the execution of njRAT, it will connect to the command and control (C&C) server, allowing the attacker to perform malicious activity on the victim’s machine.

Other than that, it will create copies of itself in the %Temp% folder and rename itself by masquerading as a legitimate binary. In this example it was renamed to ‘svhost.exe’ which is trying to imitate ‘svchost.exe’. Furthermore, it tries to hide its persistence from the user by setting the file attributes as ‘Hidden’ onto the original and the copy of the binary.

Moreover, it will also make a copy of itself in the “%AppData%\Microsoft\Windows\Start Menu” folder and create or modify the registry key for persistence to ensure it will be executed on startup. The following event logs from CB Threat Hunter shown below display the relevant events.
Information<https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-njrat/>
<http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf>
<http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf>
<http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/>
<https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services>
<https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/>
MITRE ATT&CK<https://attack.mitre.org/software/S0385/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:njRAT>

Last change to this tool card: 14 May 2020

Download this tool card in JSON format

All groups using tool njRAT

ChangedNameCountryObserved

APT groups

 Aggah[Unknown]2018-May 2020 
 APT 41China2012-Aug 2020 HOTX
 Gorgon GroupPakistan2017-Jul 2020 
 Group5Iran2015 
 Molerats, Extreme Jackal, Gaza Cybergang[Gaza]2012-Mar 2020 
 Operation Comando[Unknown]2018 
 Operation Epic Manchego[Unknown]2020 
 RATicate[Unknown]2019 
 RedAlphaChina2015-2017 
 RevengeHotels[Unknown]2015 
 Sphinx[Unknown]2014 
     ↳ Subgroup: Goldmouse, APT-C-27Syria2014 
     ↳ Subgroup: Pat Bear, APT-C-37Syria2015 
 Transparent Tribe, APT 36Pakistan2013-Apr 2020 

14 groups listed (14 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key