The Return of NJRat

NJRat is a remote-access Trojan that has been used for the last few years. We haven’t heard much about NJRat since April 2014, but some samples we’ve recently received show that this malware is making a comeback. ( For some background on NJRat,  a 2013 report from Fidelis Cybersecurity Solutions at General Dynamics detailed indicators, domains, and TTP’s in conjunction with cyber-attacks using NJRat.)

Using the PhishMe Reporter button, several internal users at PhishMe reported the following suspicious email (Figure 1):

File download phishing email

Figure 1 — Phishing email

Once clicked, the user is brought to a download page where they are given the option to download the file “NFSW_Car_Changer.exe” (Figure 2).

Download of .exe

Figure 2 — Download of .exe file

The executable is compiled with .NET 4.0. (Figure 3) This is worth mentioning because most of the malware today is written in C/C++.

Snip20150318_3

Figure 3 — .NET reference for the malware

The biggest benefit for malware to be written in .NET is that it can be difficult to decode and see what is truly going on. While the .NET code can be decompiled back to the original code (not 100%, but closer than most), regular analysis techniques can throw off analysis, as the code is different. This is why we often have to rely on dynamic analysis, or just double-clicking the file, for .NET analysis

Once the malware runs, it copies itself to %temp%/explorer.exe and begins to attempt connections with zunigle.ddns[d]net. The current resolution for this IP address is 193.180.164[d]235 (Figure 4).

Snip20150318_4

Figure 4 — Screenshot of DNS query for NJRat

Once established, the malware attempts to send different pieces of information to the end user. (Figure 5) For NJRat, the traffic is typically encoded with base64, and can be decoded right from command line (Figure 6). This includes the campaign code as well as windows that were clicked during analysis.

Snip20150318_6

Figure 5 — Traffic being sent to attackers

Snip20150318_7

Figure 6 — Decoded base64 information from NJRat

The IP address appears to be part of VPN infrastructure. Based off of the analysis from the Fidelis article, the VPN infrastructure and no-IP dynamic DNS matches up very well. VPN references also match up with one of the two NJRat Facebook pages:

Snip20150318_9

Figure 7 — NJRat Facebook page

Snip20150318_10

Figure 8 — NJRat Facebook page

The malware can be found here:

https://www.virustotal.com/en/file/6497bc799ae4f74dd0c538ed7dc12b416fb189dfebf61e60e8d900f9692458d8/analysis/

SC Magazine: New Dridex variant spotted in tax rebate phish
Dridex Code Breaking – Modify the Malware to Bypass the VM Bypass

Related Articles