njRAT — Malware Analysis
njRAT (a.k.a Bladabindi) is a .NET Framework assembly used as Remote Access Tool which allows remote attacker to control an infected system. njRAT is one of the most widely spread malware out there and the reason for that, according to ANY.RUN, is:
Because of its availability, excess of online tutorials, and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.
As you’ll see in this article, njRAT offers a wide range of capabilities, some of them resemble more traditional RATs like executing commands, take screenshots and downloading additional malicious payloads. While other capabilities may look like something you’ll write to troll your class mate 😅 such as, Open the CD trey, swap between the mouse buttons and disable user input.
So without further ado, let’s start with the analysis 🐱🏍
Initialization
The malware starts by creating a new Mutex
used for preventing multiple infection on the same system.
Then, it copies itself to the TEMP
directory under the name svchost.exe
and continues its execution as %TEMP%\svchost.exe
. This allows the malware to evade detections based on process name since svchost.exe
as known, benign processes.
Keep in mind, the real svchost.exe
process must be created under C:\Windows\System32
by services.exe
system process.
After starting as svchost.exe
the malware adds new firewall rule to allow future communication and persist itself on the infected system.
The persistence method is chosen according to the malware’s configuration (decided before the executable is built). The options are:
- Add itself under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
autorun registry key - Copy itself to the startup folder as an hidden file
The malware also support USB infection by copying itself as an hidden file to the drive and creating autorun.inf
file which will automatically executes the malware upon connection.
Execution Workers
Once initialized, the malware sets three main workers:
- A command listener which listens and executes new commands from the C&C server
- A keylogger which logs keystrokes made by the user
- A self protector which monitors the system’s running processes and check for suspicious analysis tools
Keylogger
The keylogger loops over the keys and uses User32.dll!GetAsyncKeyState
to check if the key has been pressed or not.
In order to prevent overflow of the Logs
parameter (which holds the user keystrokes) it writes it in the registry under HKCU\Software\<Mutex_Name>\[kl]
.
Once a keystroke found, the keylogger fixes its representation to a string and writes the time, process name, and window name if the window has changed.
The thread runs in an infinite loop with an interval of 1 ms.
Self Protector
The self protector (in this specific sample) searches for the following processes:
taskmgr.exe
processviewer.exe
processhacker.exe
- Or window name,
process explorer
Once found, the malware disables process termination UI buttons in those applications which protects itself from being shutdown from the UI.
Note that different applications can be monitored according to the attacker’s choice before building the client executable.
C&C Communication
The fact that this malware is a RAT means that it depends heavily on internet connect, and indeed, that’s the first thing the thread tries to do — connect to its C&C server.
Once connection is established, the malware sends registration message to the server which contains the following data:
- Command code — ‘ll’
- Base64(“HacKed_VolumeSerial”)
- Computer name
- User name
- Current date
- OS full name and service pack
- Architecture
- Is there a camera?
- The malware version (“im523”)
- Base64(WindowName)
- Registry values under
HKCU\Software\<Mutex_Name>\
The messages format definition is:
msg_format = <msg_length>\0 + <command> + <delimiter> + <arg1> [+ <delimiter> + <arg2> + <delimiter> + <arg3> + …] <delimiter> = |’|’|
Next, the malware waits for new commands from the attacker.
Basic Commands
The malware supports wide range of commands, the majority of them are self-explanatory and listed here. In the next section we’ll take a look at more complex commands.
Executing Additional Payloads
What common to all of the following commands is that they’re extending the functionality of the malware by downloading/loading additional malicious payloads.
rn
The attacker sends the following data:
- File extension
- URL
- GZip compressed executable
With that, the malware downloads the file from the given URL or decompresses the given executable into a new temporary file (using Path.GetTempFileName
) with the given file extension.
After the new file is created, the malware executes it.
inv
njRAT has an extension plugins support, this command allow’s execution of such plugins.
The attacker sends:
- A registry path
- An argument used by the plugin
- GZip compressed .NET Assembly
The registry key holds the plugin binary, if a plugin already saved, the malware will execute it. If not, the malware will continue to parse the message and get the compressed plugin.
The plugin must contain a class named A
which serves as an execution entry point. The class contains the following members:
h
- which holds the C&C URLp
- which holds the portosk
- which holds the argument sent by the attacker
After setting the class members, the malware calls the plugin’s function, start
.
ret
Similar to inv
command, this function executes a malicious assembly located at a given registry key or compressed inside the attacker’s message.
Note that, 0x1f8b is GZip’s magic number
Again, the assembly is compressed using GZip and saved under the registry key chose by the attacker if not found. In addition, the assembly must have class named A
for execution entry point.
However, this time the malware only reads a member of the class named GT
. This member contains the output of the malicious activity Base64 encoded.
In this sample, the extended functionality is a password stealer and GT
contains the stolen credentials.
As we can see, the value of GT
sent back to the attacker.
Ex
and PLG
Ex
will execute the plugin installed by PLG
which means, the attacker will send PLG
command before Ex
command.
The PLG
command, unlike inv
and ret
commands, doesn't look at the registry for saved assembly. The plugin's binary is sent with the command’s message.
The message format is <msg_length>\0PLG|'|'|<GZipCompress(<Assembly>)>
.
The malware saves the plugin class entry point (also named A
) and sets the following members:
h
- holds the C&C URLp
- holds the portc
- holds a reference to the currentTcpClient
being used
Those members indicate that the plugin supports network communication with the C&C server.
In addition to the members, the plugin must contain two functions:
ind
- executed when the attacker sendsEx
commandclear
- executed when the C&C server is down
up
This command will update the malware executable.
Similar to rn
command, the malware downloads or decompresses a new executable into a temporary file. However, this time the new file extension is .exe
and after the malware initiates the payload, it uninstall itself.
The client signals the C&C server whether the update succeeded or not.
The malware uninstalls itself by removing the firewall rule and registry keys created at the initialization phase.
Conclusions
In this blog post we went through the different functionalities of njRAT malware. We saw that although it has many functionalities that doesn’t resemble a devastating piece of malware, we must take seriously the other, more capable, functionalities, since those can expend the impact on the infected system greatly.