Gridinsoft Logo

njRAT Malware (Remote Access Trojan) Analysis

njRAT is a prolific remote-access trojan with diverse capabilities, that includes classic RAT abilities, dropper and spyware functionality

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, and Online Virus Scanner.

njRAT Malware (Remote Access Trojan) Analysis by Gridinsoft

njRAT Malware

September 17, 2024

In the malware world, being an old-timer is not a disadvantage. Being able to keep up for years in such a variable environment says a lot about the flexibility of the threat and the foresight of its developers. njRAT keeps stomping the world for over a decade – and is not likely to stop.

njRAT is a remote-access trojan active since 2012. Despite its age, it remains among top-10 most widespread threats (exactly, #8) and keeps getting updates, which adjust its capabilities to modern trends. It is best known for its spreading campaigns that aimed at users of popular messengers and social media, like Facebook or Discord. Additionally, it can perform self-spreading by infecting USB drives plugged in an infected computer.

njRAT Activity Over the Last 2 Month

Key functionality of njRAT touches, obviously, providing remote access. The malware is able to execute remote shell commands, upload and download files, capture screenshots and keystrokes, and even access the camera/microphone. There are also some stealer-like functionality – njRAT can grab credentials from web browsers and desktop cryptocurrency apps.

Throughout its long activity history, njRAT was associated with a whole lineup of different threat actors. For instance, it was in a particular favuor of Middle Eastern and Asian threat actors – particularly APT41 (China) and APT36 (Pakistan). Though, this appears to be one of the reasons for njRAT’s long life. Another RAT known as PlugX was used by the same APT41 and TA459, and remains active to these days despite its first activity detected in 2008.

Aside from its “born” name, njRAT is also known as Bladabindi – the name of Microsoft Defender’s detection assigned to this malware family. Usually, Microsoft uses specific names to denote detections of malware that belong to widespread families – Trojan:Win32/QakBot for QakBot, Backdoor:Win32/Smokeloader for Smokeloader, and the like. But njRAT appears to be an exclusion, and nowadays, its original name is used interchangeably with Bladabindi.

Versions of njRAT

The lifespan of more than decade obviously gave birth to a number of variants of this malware. Their versioning system is rather odd, so don’t seek any logic in version numbers. In 2023, there are four njRAT variants circulating in the wild:

  • njRAT Lime Edition
  • njRAT 0.7d Golden Edition
  • njRAT 0.7d Green Edition
  • njRAT 0.7d Golden Edition

The difference in functionality is unremarkable, while builder and the C2 panel interface is the main place where these variants differ. They range from minimalistic to ASCII-styled and even one with a weird dragon painting.

njRAT 0.7d Golden Edition
Interface of njRAT 0.7d Golden Edition, with such a fancy dragon art

njRAT Spreading Mechanisms

Throughout its long history, njRAT was opting for quite common spreading strategies – email spam or injection with the help of loaders. Email spam has been reigning as a spreading method for the vast majority of malware types for almost 5 years. Even after the introduction of restrictions to the most popular injection vectors, the method is easily adjusted and keeps running.

More modern methods include fake software installers that are spread on websites that copy genuine downloading pages for this software. Such forged pages are commonly promoted via search result ads hijacking. As promoted pages appear on top of search results, users often click on them and treat them as legitimate. Usually, such pages and ads exist for a short period of time – until the flow of reports to the hosting and search engine, though it is still enough to infect hundreds of users.

However, some original tactics emerge time-to-time – for instance, in 2016 this malware targeted Discord users with a sophisticated spam campaign. Hackers were gaining trust of users of a channel, to then send them a link to malware downloading or even an exact file – under the guise of a legit app. Alternative attack vectors included spam on social media from hijacked accounts. Sure, such methods require much more effort, but their effectiveness is worth it.

Analysis of njRAT/Bladabindi

When it comes to the analysis of njRAT, things are getting slightly different from what we used to see in other malware types and families. Malware comes with its own builder, a software that allows to configure the payload to the needs of a particular case. Hackers can choose from and change the following categories:

  • Name of the malware’s .exe file
  • Registry startup key creation
  • Startup instance creation
  • Directory of the malware in the target system
  • Host IP-address and a network port
  • Victim name
  • Peak size of malware logs
  • Icon of the malware file
  • Process protection
njRAT builder interface
njRAT builder and custom settings it allows to apply to each sample

Such a thin setup allows njRAT to circumvent most of the static checks from antivirus programs. However, it is not enough to evade runtime analysis, i.e. heuristic detection systems. For this case, the malware uses multiple .NET obfuscators (malware itself is based on .NET as well). This makes the code particularly hard to analyse and understand to both humans and machines.

Upon execution, the malware follows the instructions that were built in during the setup in the builder. If specified, njRAT creates its instance in the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. Registry manipulations consist of creating the key with a weird name “[kl]” in a HKEY_CURRENT_USER\Software\32 hive with the value of a random set of chars and digits.

Registry entry njRAT
Registry entry created by the malware during installation

When the “installation” part is sorted out, alware pings the command server, and a new connection appears on the panel. From that moment, the malware master can choose from a wide range of actions to do with the infected machine.

Functionality Overview

As we mentioned in the introduction, njRAT offers a classic set of functionality for remote-access trojans, with some other “pleasant” features. Let’s review them one by one.

The first functionality seen on the C2 panel is the list of system properties. With the initial ping package, malware sends the PC name, IP address of the target system and ping, OS, country, and status. Click on the listed system opens the list of other actions:

Function NameDescription
ManagerFile management functionality, allows to download and upload files to the infected system
Run fileExecuting the file (most probably the one uploaded with the Manager function)
Remote DesktopInitiates a remote connection to the infected computer via RDP
Remote CamTurns on the camera (if one is present)
MicrophoneTurns on the microphone (if one is present)
Get PasswordsSteals passwords from desktop apps
KeyloggerEnables logging the keystrokes (log is written to a .txt file)
Open ChatOpens a chat window with the infected PC. Possibly, the function is added for debug purposes
ServerAllows to manage the status of a bot, including commands that remove it from the system.
Open FolderAllows to remotely open the folder on the infected machine and view its contents
Panel connection
Connection on the C2 panel and a list of actions available for one

Among unlisted, but definitely present functions of njRAT are taking screenshots of the infected system's main screen and specific windows. This, however, may be less useful when there is the ability to create a remote connection that grants control over the computer.

We also want to disclose the Get Passwords function with more details. Obviously, it was not an initial function of this malware and was added with the progression of other malware functionality. njRAT is capable of extracting cookies from Chrome and Chromium-based browsers, along with Bitcoin wallets. Unlike more modern malware families, this threat probably isn't trying to be all-in-one – a remote-access trojan, a dropper and a stealer.

How to protect against njRAT malware?

Since njRAT mostly shares spreading ways with other malware, methods of preventive counteration are the same. Raising awareness of the most popular patterns in email spam among your personnel is essential – this trick alone can drastically reduce the chance of a successful phishing attack.

Other attack vectors, that rely on spear phishing, are less common and generally aim at home users. There, it can be much harder to distinguish fraud among genuine users and their posts. That is actually the reason why you can see advice to distrust any files from chats and social media: you can rarely be sure about the person who sent it. Checking such files on online scanners like GridinSoft Free Online Virus Checker is essential.

Another protection vector mostly consists of different shades of anti-malware and antivirus protection. Malware protection solutions serve as a keeper for the cases when a malicious file manages to get into your system. A well-designed anti-malware program with advanced heuristic and ML-based protection systems will easily detect and stop threats like njRAT. GridinSoft Anti-Malware is one with such features – try it out.

njRAT Malware IoC 2024

Trojan.U.NjRat.bot52c33068b9931fdc17faba5a22551145953a49cc9937b22ff5996d64418c2615
Trojan.U.NjRat.tr4b649c32035e383706673ffe6471d6c711989a206d6f96fdd905dda207a5f0cb
Trojan.Win32.NjRat.trd094b3e64b1ac779565c1819f7f1b4041b5fa901e74f0cad9d3d376c506635d9
Trojan.Win32.NjRat.trb6f177cdd38d20ad341656b85076bc4015369bd9c97753665c014ebc1e5fd4c8
Trojan.U.NjRat.tr573517808e7bced615e39c8ac70f92caf2f53d65dd12b999136acc75df5d9cff
Trojan.U.NjRat.tre1d170aa719cec71092fefffafd33e593768d64a97809be04b5d2e4d929a7149
Trojan.U.NjRat.tr4988a289f54d24bfda81496035c207a93c7adf9fde6467a7c051cba48c3aa7a7
Trojan.U.NjRat.tr7362cf4593a0e185dbee7b1f418fd676729eeaeedc0d4dd7b9fe4dfb4ce612a4
Trojan.U.NjRat.trbb264c4652b06d8abd7be847c6abb9290258c91c1c2f1006ea98a2f7255fc10d
Trojan.U.NjRat.tr01524f73a3fcfa4262b69890da6efa96965c56654b080c8be17918dfff36790d