njRAT
Associated Software Descriptions |
|
Name | Description |
---|---|
LV | (Citation: Fidelis njRAT June 2013) |
Bladabindi | (Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
Njw0rm | Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.(Citation: FireEye Njw0rm Aug 2013) Other sources contain that functionality in their description of njRAT itself.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
njRAT has used HTTP for C2 communications.(Citation: Trend Micro njRAT 2018) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
njRAT has added persistence via the Registry key |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
njRAT has executed PowerShell commands via auto-run registry key persistence.(Citation: Trend Micro njRAT 2018) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
njRAT can launch a command shell interface for executing commands.(Citation: Fidelis njRAT June 2013) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
njRAT has a module that steals passwords saved in victim web browsers.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
njRAT uses Base64 encoding for C2 traffic.(Citation: Fidelis njRAT June 2013) |
Enterprise | T1568 | .001 | Dynamic Resolution: Fast Flux DNS |
njRAT has used a fast flux DNS for C2 IP resolution.(Citation: Trend Micro njRAT 2018) |
Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
njRAT has modified the Windows firewall to allow itself to communicate through the firewall.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
njRAT is capable of deleting files.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
.009 | Indicator Removal: Clear Persistence |
njRAT is capable of manipulating and deleting registry keys, including those used for persistence.(Citation: Trend Micro njRAT 2018) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
njRAT is capable of logging keystrokes.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5) |
Enterprise | T1027 | .004 | Obfuscated Files or Information: Compile After Delivery |
njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.(Citation: Trend Micro njRAT 2018) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
njRAT has included a base64 encoded executable.(Citation: Trend Micro njRAT 2018) |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
njRAT has a module for performing remote desktop access.(Citation: Fidelis njRAT June 2013) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0134 | Transparent Tribe |
(Citation: Proofpoint Operation Transparent Tribe March 2016) |
G0043 | Group5 |
(Citation: Citizen Lab Group5) |
(Citation: ESET Operation Spalax Jan 2021) |
||
G0143 | Aquatic Panda |
(Citation: CrowdStrike AQUATIC PANDA December 2021) |
G0096 | APT41 |
(Citation: FireEye APT41 Aug 2019) |
G0140 | LazyScripter |
(Citation: MalwareBytes LazyScripter Feb 2021) |
G0078 | Gorgon Group |
(Citation: Unit 42 Gorgon Group Aug 2018) |
G1018 | TA2541 |
(Citation: Proofpoint TA2541 February 2022) (Citation: Cisco Operation Layover September 2021) |
References
- Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
- Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
- Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
- Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.