Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

njRAT

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)
ID: S0385
Associated Software: LV Bladabindi Njw0rm
Type: MALWARE
Platforms: Windows
Version: 1.6
Created: 04 Jun 2019
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
LV (Citation: Fidelis njRAT June 2013)
Bladabindi (Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)
Njw0rm Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.(Citation: FireEye Njw0rm Aug 2013) Other sources contain that functionality in their description of njRAT itself.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

njRAT has used HTTP for C2 communications.(Citation: Trend Micro njRAT 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

njRAT has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\ and dropped a shortcut in %STARTUP%.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

njRAT has executed PowerShell commands via auto-run registry key persistence.(Citation: Trend Micro njRAT 2018)

.003 Command and Scripting Interpreter: Windows Command Shell

njRAT can launch a command shell interface for executing commands.(Citation: Fidelis njRAT June 2013)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

njRAT has a module that steals passwords saved in victim web browsers.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5)

Enterprise T1132 .001 Data Encoding: Standard Encoding

njRAT uses Base64 encoding for C2 traffic.(Citation: Fidelis njRAT June 2013)

Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

njRAT has used a fast flux DNS for C2 IP resolution.(Citation: Trend Micro njRAT 2018)

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

njRAT has modified the Windows firewall to allow itself to communicate through the firewall.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)

Enterprise T1070 .004 Indicator Removal: File Deletion

njRAT is capable of deleting files.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)

.009 Indicator Removal: Clear Persistence

njRAT is capable of manipulating and deleting registry keys, including those used for persistence.(Citation: Trend Micro njRAT 2018)

Enterprise T1056 .001 Input Capture: Keylogging

njRAT is capable of logging keystrokes.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5)

Enterprise T1027 .004 Obfuscated Files or Information: Compile After Delivery

njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.(Citation: Trend Micro njRAT 2018)

.013 Obfuscated Files or Information: Encrypted/Encoded File

njRAT has included a base64 encoded executable.(Citation: Trend Micro njRAT 2018)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

njRAT has a module for performing remote desktop access.(Citation: Fidelis njRAT June 2013)

Groups That Use This Software

ID Name References
G0134 Transparent Tribe

(Citation: Proofpoint Operation Transparent Tribe March 2016)

G0043 Group5

(Citation: Citizen Lab Group5)

(Citation: ESET Operation Spalax Jan 2021)

G0143 Aquatic Panda

(Citation: CrowdStrike AQUATIC PANDA December 2021)

G0096 APT41

(Citation: FireEye APT41 Aug 2019)

G0140 LazyScripter

(Citation: MalwareBytes LazyScripter Feb 2021)

G0078 Gorgon Group

(Citation: Unit 42 Gorgon Group Aug 2018)

G1018 TA2541

(Citation: Proofpoint TA2541 February 2022) (Citation: Cisco Operation Layover September 2021)

References

  1. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  2. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  3. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  4. Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019.
  5. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  6. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  7. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  8. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  9. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  10. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  11. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  12. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.