njRAT — Malware Analysis

njRAT (a.k.a Bladabindi) is a .NET Framework assembly used as Remote Access Tool which allows remote attacker to control an infected system. njRAT is one of the most widely spread malware out there and the reason for that, according to ANY.RUN, is:

Because of its availability, excess of online tutorials, and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

As you’ll see in this article, njRAT offers a wide range of capabilities, some of them resemble more traditional RATs like executing commands, take screenshots and downloading additional malicious payloads. While other capabilities may look like something you’ll write to troll your class mate 😅 such as, Open the CD trey, swap between the mouse buttons and disable user input.

So without further ado, let’s start with the analysis 🐱‍🏍

Initialization

The malware starts by creating a new Mutex used for preventing multiple infection on the same system.

Then, it copies itself to the TEMP directory under the name svchost.exe and continues its execution as %TEMP%\svchost.exe . This allows the malware to evade detections based on process name since svchost.exe as known, benign processes.

Keep in mind, the real svchost.exe process must be created under C:\Windows\System32 by services.exe system process.

After starting as svchost.exe the malware adds new firewall rule to allow future communication and persist itself on the infected system.

The malware adds new firewall rule and choose persistent method

The persistence method is chosen according to the malware’s configuration (decided before the executable is built). The options are:

1. Add itself under HKCU\Software\Microsoft\Windows\CurrentVersion\Run autorun registry key
2. Copy itself to the startup folder as an hidden file

The malware also support USB infection by copying itself as an hidden file to the drive and creating autorun.inf file which will automatically executes the malware upon connection.

Malware USB infection

Execution Workers

Once initialized, the malware sets three main workers:

• A command listener which listens and executes new commands from the C&C server
• A keylogger which logs keystrokes made by the user
• A self protector which monitors the system’s running processes and check for suspicious analysis tools

Malware’s main execution flow

Keylogger

The keylogger loops over the keys and uses User32.dll!GetAsyncKeyState to check if the key has been pressed or not.

In order to prevent overflow of the Logs parameter (which holds the user keystrokes) it writes it in the registry under HKCU\Software\<Mutex_Name>\[kl].

Once a keystroke found, the keylogger fixes its representation to a string and writes the time, process name, and window name if the window has changed.

Keylogger function

The thread runs in an infinite loop with an interval of 1 ms.

Self Protector

The self protector (in this specific sample) searches for the following processes:

• taskmgr.exe
• processviewer.exe
• processhacker.exe
• Or window name, process explorer

Self protector function

Once found, the malware disables process termination UI buttons in those applications which protects itself from being shutdown from the UI.

Disabled End Process button

Note that different applications can be monitored according to the attacker’s choice before building the client executable.

C&C Communication

The fact that this malware is a RAT means that it depends heavily on internet connect, and indeed, that’s the first thing the thread tries to do — connect to its C&C server.

Once connection is established, the malware sends registration message to the server which contains the following data:

• Command code — ‘ll’
• Base64(“HacKed_VolumeSerial”)
• Computer name
• User name
• Current date
• OS full name and service pack
• Architecture
• Is there a camera?
• The malware version (“im523”)
• Base64(WindowName)
• Registry values under HKCU\Software\<Mutex_Name>\

The messages format definition is:

msg_format = <msg_length>\0 + <command> + <delimiter> + <arg1> [+ <delimiter> + <arg2> + <delimiter> + <arg3> + …] 
<delimiter> = |’|’|

New client registration message

Next, the malware waits for new commands from the attacker.

Basic Commands

The malware supports wide range of commands, the majority of them are self-explanatory and listed here. In the next section we’ll take a look at more complex commands.

Executing Additional Payloads

What common to all of the following commands is that they’re extending the functionality of the malware by downloading/loading additional malicious payloads.

rn

The attacker sends the following data:

• File extension
• URL
• GZip compressed executable

With that, the malware downloads the file from the given URL or decompresses the given executable into a new temporary file (using Path.GetTempFileName) with the given file extension.

After the new file is created, the malware executes it.

inv

njRAT has an extension plugins support, this command allow’s execution of such plugins.

The attacker sends:

• A registry path
• An argument used by the plugin
• GZip compressed .NET Assembly

The registry key holds the plugin binary, if a plugin already saved, the malware will execute it. If not, the malware will continue to parse the message and get the compressed plugin.

The plugin must contain a class named A which serves as an execution entry point. The class contains the following members:

• h - which holds the C&C URL
• p - which holds the port
• osk - which holds the argument sent by the attacker

After setting the class members, the malware calls the plugin’s function, start.

ret

Similar to inv command, this function executes a malicious assembly located at a given registry key or compressed inside the attacker’s message.

An example for ret command

Note that, 0x1f8b is GZip’s magic number

Again, the assembly is compressed using GZip and saved under the registry key chose by the attacker if not found. In addition, the assembly must have class named A for execution entry point.

However, this time the malware only reads a member of the class named GT. This member contains the output of the malicious activity Base64 encoded.

In this sample, the extended functionality is a password stealer and GT contains the stolen credentials.

ret command functionality

As we can see, the value of GT sent back to the attacker.

Ex and PLG

Ex will execute the plugin installed by PLG which means, the attacker will send PLG command before Ex command.

The PLG command, unlike inv and ret commands, doesn't look at the registry for saved assembly. The plugin's binary is sent with the command’s message.

The message format is <msg_length>\0PLG|'|'|<GZipCompress(<Assembly>)>.

The malware saves the plugin class entry point (also named A) and sets the following members:

• h - holds the C&C URL
• p - holds the port
• c - holds a reference to the current TcpClient being used

Those members indicate that the plugin supports network communication with the C&C server.

In addition to the members, the plugin must contain two functions:

1. ind - executed when the attacker sends Ex command
2. clear - executed when the C&C server is down

clear function call

up

This command will update the malware executable.

Malware update mechanism

Similar to rn command, the malware downloads or decompresses a new executable into a temporary file. However, this time the new file extension is .exe and after the malware initiates the payload, it uninstall itself.

IL_1582 brench

The client signals the C&C server whether the update succeeded or not.

The malware uninstalls itself by removing the firewall rule and registry keys created at the initialization phase.

Conclusions

In this blog post we went through the different functionalities of njRAT malware. We saw that although it has many functionalities that doesn’t resemble a devastating piece of malware, we must take seriously the other, more capable, functionalities, since those can expend the impact on the infected system greatly.