McAfee Labs

Trailing the Trojan njRAT

0
By on Aug 05, 2014

One Trojan that just won’t go away is the remote access tool njRAT. Microsoft recently took down a leading domain associated with the malware, but that action did not come off as smoothly as the company hoped. We closely track this remote access tool (RAT) and see a rise in its popularity every year.

The malware is very popular in the Middle East with the Syrian Electronic Army and other hacktivists. There are plenty of tutorials and videos online that explain its use, thus making it the de facto choice for cyber espionage.

This RAT is coded using the Microsoft .Net framework and can remotely access a victim’s machine, operate the webcam, log keystrokes, steal credentials stored in browsers, upload and download files, and update itself. The malware has a GUI-based builder and controller tool that allows its users to create malicious binaries and remotely control all infected machines.

Tracking the control servers

A major aspect of this RAT is its popularity with dynamic domain name system (DNS) services such as no-ip.com. A dynamic DNS service is a method of automatically updating a name server in the DNS, often in real time, with the active DNS configuration of its configured hostnames, addresses, or other information.

This feature allows attackers without a dedicated static IP, such as DSL or broadband connection, to use a DNS-based hostname. This helps the malicious actors to use any IP or Internet connection and still keep the client connections alive.

Based on the activity we observed in our monitoring systems, here is a map of the global coverage of njRAT’s control servers during the last six months:

njRAT_goedist

All the dots signify distinct IP addresses used by njRAT as a control server. The green dots signify active campaigns, which mean the attacker was controlling machines as we took this snapshot. Here is a close-up of its popularity in the Middle East:

njRAT_goedist2

Morocco, Algeria, and Iraq have the highest usage, with Algeria hosting the largest number of control server IPs (more than 4,000). The dynamic DNS service provider no-ip is owned by Vitalwerks, which offers various domain name options to its customers. During this period, we saw more than 80,000 unique domains used for njRAT that belonged to Vitalwerks. Here is the distribution: njRAT_domaindist

Domain distribution of njRAT control servers.

Clearly, most njRAT users prefer using the domain no-ip.biz, which leads the pack with more than 47,000 distinct entries in our database.

Obfuscation and antivirus evasion

One of the reasons njRAT remains so popular is the Trojan’s ability to stay under the radar and prevent antivirus detections. There are plenty of obfuscation tools available for .Net that easily allow users to obfuscate the .Net binaries.

Similar to a packer, a .Net obfuscator tool renames the meta-information in the assembly code such that it is not possible for anyone to statically figure out the functions, yet they remain useful to execute the intended operations. The obfuscator was designed to protect against the reverse-engineering of .Net executables, but here it is put to use for nefarious purposes.

Plenty of tutorials on YouTube explain how to make an njRAT binary undetectable by antivirus solutions, and hence the success rate of infection with njRAT is pretty high. However, the network signature remains same. This is what we use to track the threat.

In the past year, we have collected more than 88,000 unique binaries. Using our advanced automation, we monitor this threat closely.
njRAT_incoming

For a RAT, the preceding numbers are pretty high. They demonstrate how easy it is to build and deploy this malware. But what surprises us most is the count of samples received each month that have no antivirus detection:

njRAT_noav

The preceding chart of  samples are not detected by any antivirus vendor at the time of submission. We refer to these as zero-day samples. But from their network communication we can confirm that they all belong to the njRAT family. We have used the malware’s network signature to track this threat for more than a year.

Due to the plethora of tutorials and information, there are some popular obfuscators for njRAT. However, we also saw some of the binaries using custom obfuscation algorithms. Based on our analysis, we found that “RedGate SmartAssembly” was one of most popular obfuscators used with njRAT, followed by “Yano” and others:

njRAT_packerdist

Desktop antivirus solutions have limitations, and .Net obfuscation takes advantage of that. Every month we get samples of this malware that continue to evade antivirus software. The njRAT tool is still under development on various forums and its author continues to create new versions.

All McAfee Network Security Product (NSP) customers are already protected from this threat.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>