NjRAT is Spreading via Removable Media

Delaware, USA – November 29, 2018 – NjRAT remote access trojan was created based on the leaked Njw0rm source code, and it has a wide range of backdoor capabilities. NjRAT remote access trojan was created based on the leaked Njw0rm source code, and it has a wide range of backdoor capabilities. Researchers from Trend Micro encounter a new fileless version of this malicious tool that is distributed through removable media. It is also impossible to exclude the version that initially trojan can penetrate the network of the organization via phishing emails. NjRAT uses AutoIt to compile the payload and the main script into a single executable to bypass antivirus solutions. When the installer is executed, the malware tries to delete Tr.exe from the system’s %TEMP% directory and install its own version of Tr.exe on it. Then it terminates Tr.exe process and executes a dropper, which installs a hidden copy of itself on any removable drive found on the infected system.

Tr.exe is AutoIt-compiled executable script containing a base-64 encoded executable, which it writes in a registry. It also creates another value for persistence using an auto-run registry named AdobeMX to execute PowerShell to load the encoded executable via reflective loading. When the backdoor runs, it creates a firewall policy that adds PowerShell’s process to the list of allowed programs. NjRAT can be used for keylogging, downloading and executing additional malware and stealing credentials from web browsers.

NjRAT remote access trojan has been used repeatedly in cyberespionage campaigns and is popular on underground forums. New fileless modification poses a threat to organizations that still use removable media in the workplace. Threat Detection Marketplace contains free rules for ArcSight, ELKStack, QRadar and Splunk to detect this malware.

NjRAT RAT/Backdoor Detector (proxy): https://tdm.socprime.com/tdm/info/1387/
HWorm and NjRAT Rat/Backdoor Detector (Sysmon): https://tdm.socprime.com/tdm/info/1386/