NjRAT
{{Short description|Remote access tool}}
{{lowercase title}}
njRAT, also known as Bladabindi,{{cite web|title=MSIL/Bladabindi|url=https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=MSIL/Bladabindi|website=www.microsoft.com|publisher=Microsoft|accessdate=5 June 2017}} is a remote access tool (RAT) with user interface or trojan which allows the holder of the program to control the end-user's computer. It was first found in June 2013 with some variants traced to November 2012. It was made by a hacking organization from different countries called M38dHhM and was often used against targets in the Middle East. It can be spread through phishing and infected drives.
To date, there are many versions of this virus, the most famous of which is njRAT Green Edition.
{{Infobox software
|name = NjRAT
|developer = M38dHhM
|latest release version = 0.7d
| discontinued = yes
|operating system = Microsoft Windows
|programming language = Visual Basic .NET
|genre = Remote Administration Tool (RAT)}}
About the program and its whereabouts
A surge of njRAT attacks was reported in India in July 2014.{{cite web|title=Hacking virus 'Bladabindi' targets Windows users in India, steals personal info: Cert-In - Tech2|url=http://tech.firstpost.com/news-analysis/hacking-virus-bladabindi-targets-windows-users-in-india-steals-personal-info-cert-in-227963.html|website=Tech2|accessdate=5 June 2017|date=27 July 2014}} In an attempt to disable njRAT's capabilities, Microsoft took down four million websites in 2014 while attempting to filter traffic through no-ip.com domains.{{cite web|last1=Krebs|first1=Brian|title=Microsoft Darkens 4MM Sites in Malware Fight — Krebs on Security|url=https://krebsonsecurity.com/2014/07/microsoft-darkens-4mm-sites-in-malware-fight/#more-26708|website=krebsonsecurity.com|accessdate=5 June 2017}}
In March 2016, Softpedia reported that spam campaigns spreading remote access trojans such as njRAT were targeting Discord.{{cite web|last1=Cimpanu|first1=Catalin|title=VoIP Gaming Servers Abused to Spread Remote Access Trojans (RATs)|url=http://news.softpedia.com/news/gaming-voip-servers-abused-to-spread-remote-access-trojans-rats-509496.shtml|website=Softpedia|accessdate=5 June 2017}} In October 2020, Softpedia also reported the appearance of a cracked VMware download that would download njRAT via Pastebin. Terminating the process would crash the computer.{{cite web|last1=Cimpanu|first1=Catalin|title=RAT Hosted on PasteBin Leads to BSOD|url=http://news.softpedia.com/news/rat-hosted-on-pastebin-leads-to-bsod-509803.shtml|website=Softpedia|accessdate=5 June 2017}}
An Islamic State website was hacked in March 2017 to display a fake Adobe Flash Player update download, which instead downloaded the njRAT trojan.{{cite web|last1=Cox|first1=Joseph|title=Hackers Hit Islamic State Site, Use It to Spread Malware|url=https://www.vice.com/en/article/hackers-islamic-state-malware/|website=Motherboard|access-date=5 June 2017}}
In January 2023, outbreaks of Trojan infections were seen in the Middle East. The attackers used .cab files with supposedly political conversation, when opened, they launched a .vbs script that downloaded malware from the cloud.{{cite web|title=Trojan NjRAT "walks" in the Middle East and North Africa - Security Lab|url=https://www.securitylab.ru/news/535849.php|website=Security Labs|accessdate=5 June 2017}}
Architecture
NjRAT, like many remote access trojans, works on the principle of a reverse backdoor, that is, it requires open ports on the attacker's computer. After creating the malware (client) and opening it, the attacker's server receives a request from the client side. After a successful connection, the attacker can control the victim's computer by sending commands to the server when the client part processes them.
Detections
Common antivirus tags for NjRAT are as follows:
- W32.Backdoor.Bladabindi
- Backdoor.MSIL.Bladabindi
- Backdoor/Win.NjRat.R512373
The standard version of the Trojan lacks encryption algorithms, which is why it can be easily detected by antivirus. However, an attacker can encrypt it manually, so that it will not be detected by popular antivirus software.