Infamous njRAT is Coming Back to Life - PhishMe

Techweekeurope.co.uk published a report on 20th March, 2015 quoting a warning by Ronnie Tokazowski, Security Speciality of security firm PhishMe as "Remote Access Trojan (RAT) 'NJRat' which seems to be silent since April 2014 is coming back to life."

Tokazowski examined some recent messages and found the evidence of the malware by detecting it in those messages and consequently issued warning about it. He also found that the executable element had been compiled with .NET 4.0.

He warned: "This is worth mentioning as most of the malware is written in C/C++ and the biggest advantage for the malware to be written in .NET is that it becomes very difficult to be decoded and seen with its activity..NET code can be decompiled back to the original code (not 100% but closer to that) whereas techniques of regular anaylysis can throw off analysis because the code is different. This is the reason for relying on dynamic analysis or double-clicking the file to analyse .NET analysis."

So what kind of malice does NJRat contain?

The RAT allows attackers to gain complete control of the infected device. The malware can log keystrokes, download and execute files, provide access to desktop remotely, steal credentials of application and can also access the infected computer's webcam and microphone.

Interestingly, security firm Zscaler is also saying that Trojan 'NJRat' is gradually making a comeback.

In 2014, when Microsoft targeted njRAT, the company grabbed almost two dozen domains of dynamic DNS provider No-IP. At that time Microsoft argued that No-IP domains had been used for 93% time for njRAT and NJw0rm infections. However, the DNS company criticized Microsoft for the way it handled the operation because the decision to grab the domains without any warning which affected many genuine customers.

PhishMe and Zscaler now report that No-IP services are still being harmed by operators of njRAT. Zscaler has discovered that more than 20 dynamic DNS services harmed by authors of malware for command and control (C&C) communications.

Zscaler has also observed an increase in H-Worm infections. H-Worm which is a RAT based on VBScript was analyzed by FireEye in September 2013 when it had been used while targeting attacks aimed at the international energy industry.

» SPAMfighter News - 4/2/2015