OVERVIEW
njRAT is a well-known and widely available Remote Administration Tool (RAT) which has been observed since 2013 and may have been in development as early as 2010. The RAT features a number of features which are characteristic of other Remote Administration Tools, including keylogging, remote control of the system, access to the command line of the compromised system, access to the victim’s camera, and file, process, and registry management. The RAT is also capable of exfiltrating credentials from browsers. Another unique characteristic of the RAT is that the authors, and other actors, have created extensive document and tutorials to teach prospective users how to use njRAT.
TARGETING
As the backdoor is publicly available, targeting will depend upon the actor employing it.
DELIVERY
This malware has been observed being distributed via a number of vectors, including: through Discord SPAM, through various blackmarket software such as so called ‘keygens’ and cracks, through so-called ‘FakeAV’ and ‘Fake Flash’ updates, through malicious SPAM (malspam) and phishing campaigns. njRAT is also capable of spreading laterally through removable media.
NJRAT INSTALLATION
This malware has been observed being installed into
- %TEMP%
- %APPDATA%
- %USERPROFILE%
- %ALLUSERSPROFILE%
- %windir%
NJRAT PERSISTENCE
This malware establishes persistence through two primary methods: it has been observed creating scheduled tasks; it has also been observed modifying the autorun value in the registry.
NJRAT COMMUNICATION
This malware has been observed using novel command and control (C2) methods, including PasteBin.
