SYMBOLCOMMON_NAMEaka. SYNONYMS
win.njrat (Back to overview)

NjRAT

aka: Bladabindi

Actor(s): Operation C-Major, The Gorgon Group

URLhaus      

RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."

It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.

References
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-06-22Anurag
@online{anurag:20200622:njrat:381c066, author = {Anurag}, title = {{njRat Malware Analysis}}, date = {2020-06-22}, url = {https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/}, language = {English}, urldate = {2020-06-22} } njRat Malware Analysis
NjRAT
2020-05-14SophosLabsMarkel Picado
@online{picado:20200514:raticate:6334722, author = {Markel Picado}, title = {{RATicate: an attacker’s waves of information-stealing malware}}, date = {2020-05-14}, organization = {SophosLabs}, url = {https://news.sophos.com/en-us/2020/05/14/raticate/}, language = {English}, urldate = {2020-05-18} } RATicate: an attacker’s waves of information-stealing malware
Agent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos
2020-01-31ReversingLabsRobert Simmons
@online{simmons:20200131:rats:d8a4021, author = {Robert Simmons}, title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}}, date = {2020-01-31}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/rats-in-the-library}, language = {English}, urldate = {2020-02-03} } RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT
2020SecureworksSecureWorks
@online{secureworks:2020:copper:e356116, author = {SecureWorks}, title = {{COPPER FIELDSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone}, language = {English}, urldate = {2020-05-23} } COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major
2020-01DragosJoe Slowik
@techreport{slowik:202001:threat:d891011, author = {Joe Slowik}, title = {{Threat Intelligence and the Limits of Malware Analysis}}, date = {2020-01}, institution = {Dragos}, url = {https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf}, language = {English}, urldate = {2020-06-10} } Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX
2019-12-24Github (itsKindred)Derek Kleinhen
@techreport{kleinhen:20191224:bashar:944cfdf, author = {Derek Kleinhen}, title = {{Bashar Bachir Infection Chain Analysis}}, date = {2019-12-24}, institution = {Github (itsKindred)}, url = {https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf}, language = {English}, urldate = {2020-01-10} } Bashar Bachir Infection Chain Analysis
NjRAT
2019-09-26ProofpointBryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team
@online{campbell:20190926:new:d228362, author = {Bryan Campbell and Jeremy Hedges and Proofpoint Threat Insight Team}, title = {{New WhiteShadow downloader uses Microsoft SQL to retrieve malware}}, date = {2019-09-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware}, language = {English}, urldate = {2020-02-26} } New WhiteShadow downloader uses Microsoft SQL to retrieve malware
WhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos
2019-08-30Github (threatland)ThreatLand
@online{threatland:20190830:njrat:995c281, author = {ThreatLand}, title = {{njRAT builders}}, date = {2019-08-30}, organization = {Github (threatland)}, url = {https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT}, language = {English}, urldate = {2020-01-08} } njRAT builders
NjRAT
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-03-25360 Core Securityzhanghao-ms
@online{zhanghaoms:20190325:patting:92fda17, author = {zhanghao-ms}, title = {{Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization}}, date = {2019-03-25}, organization = {360 Core Security}, url = {http://blogs.360.cn/post/analysis-of-apt-c-37.html}, language = {Chinese}, urldate = {2020-01-08} } Patting the Bear (APT-C-37): Exposure of Continued Attacks Against an Armed Organization
Houdini NjRAT
2018-08-02Palo Alto Networks Unit 42Robert Falcone, David Fuertes, Josh Grunzweig, Kyle Wilhoit
@online{falcone:20180802:gorgon:06112b1, author = {Robert Falcone and David Fuertes and Josh Grunzweig and Kyle Wilhoit}, title = {{The Gorgon Group: Slithering Between Nation State and Cybercrime}}, date = {2018-08-02}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/}, language = {English}, urldate = {2019-12-20} } The Gorgon Group: Slithering Between Nation State and Cybercrime
Loki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT
2018-07-23360 Threat IntelligenceQi Anxin Threat Intelligence Center
@online{center:20180723:golden:acfd437, author = {Qi Anxin Threat Intelligence Center}, title = {{Golden Rat Organization-targeted attack in Syria}}, date = {2018-07-23}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/analysis-of-apt-c-27/}, language = {Chinese}, urldate = {2020-04-28} } Golden Rat Organization-targeted attack in Syria
NjRAT Golden RAT
2016-11-30FortinetLilia Elena Gonzalez Medina
@online{medina:20161130:bladabindi:22e025f, author = {Lilia Elena Gonzalez Medina}, title = {{Bladabindi Remains A Constant Threat By Using Dynamic DNS Services}}, date = {2016-11-30}, organization = {Fortinet}, url = {https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services}, language = {English}, urldate = {2020-01-09} } Bladabindi Remains A Constant Threat By Using Dynamic DNS Services
NjRAT
2016-10-26UnknownChris Doman
@online{doman:20161026:moonlight:1edffaa, author = {Chris Doman}, title = {{Moonlight – Targeted attacks in the Middle East}}, date = {2016-10-26}, organization = {Unknown}, url = {https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks}, language = {English}, urldate = {2020-04-06} } Moonlight – Targeted attacks in the Middle East
Houdini NjRAT Molerats
2015-01-22Trend MicroMichael Marcos
@online{marcos:20150122:new:1fdb830, author = {Michael Marcos}, title = {{New RATs Emerge from Leaked Njw0rm Source Code}}, date = {2015-01-22}, organization = {Trend Micro}, url = {http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/}, language = {English}, urldate = {2019-12-17} } New RATs Emerge from Leaked Njw0rm Source Code
NjRAT
Yara Rules
[TLP:WHITE] win_njrat_w1 (20170517 | Identify njRat)
rule win_njrat_w1 {
    meta:
        author = "Brian Wallace @botnet_hunter"
        author_email = "bwall@ballastsecurity.net"
        date = "2015-05-27"
        description = "Identify njRat"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/Njrat.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a1 = "netsh firewall add allowedprogram " wide
        $a2 = "SEE_MASK_NOZONECHECKS" wide

        $b1 = "[TAP]" wide
        $b2 = " & exit" wide

        $c1 = "md.exe /k ping 0 & del " wide
        $c2 = "cmd.exe /c ping 127.0.0.1 & del" wide
        $c3 = "cmd.exe /c ping" wide
    condition:
        1 of ($a*) and 1 of ($b*) and 1 of ($c*)
}
Download all Yara Rules