NjRAT
Remote access tool
From Wikipedia, the free encyclopedia
njRAT, also known as Bladabindi[1] and Ratnik, is a Remote Access Trojan (RAT) with user interface or trojan which allows the holder of the program to control the end-user's computer. It was first found in June 2013 with some variants traced to November 2012. It was made by a hacking organization from different countries called M38dHhM and was often used against targets in the Middle East. It can be spread through phishing and infected drives. To date, there are many versions of this virus, the most famous of which is njRAT Green Edition.
| njRAT | |
|---|---|
| Developer | M38dHhM |
| Final release | 0.7d
|
| Written in | Visual Basic .NET |
| Operating system | Microsoft Windows |
| Type | Remote Access Trojan (RAT) |
Attacks using njRAT
A surge of njRAT attacks was reported in India in July 2014.[2] In an attempt to disable njRAT's capabilities, Microsoft took down four million websites in 2014 while attempting to filter traffic through no-ip.com domains.[3]
In March 2016, Softpedia reported that spam campaigns spreading remote access trojans such as njRAT were targeting Discord.[4] In October 2020, Softpedia also reported the appearance of a cracked VMware download that would download njRAT via Pastebin. Terminating the process would crash the computer.[5]
In early 2017, a Russian-speaking hacker known simply as "OP" has used the virus to access the webcam feeds and personal information of hundreds of PC users in post-Soviet countries, Thailand and Turkey, while trolling and pranking the victims by using the trojan's capabilities, as part of his project named "Overheard on MediaGet" (Russian: Подслушано в MediaGet). Everything was livestreamed on the hacker's multiple YouTube channels, which were subsequently deleted. "OP" and his team infected the files of the most popular programs available in the MediaGet torrent client software with njRAT. The victims didn't suspect that their PC was infected, which gave the opportunity for the hacker to interrupt their activities, such as by playing loud sounds, opening shock sites and Gachimuchi videos in the web browser, insulting the victims with text-to-speech voices and talking to them via the speakers, accessing their social media accounts to write bizarre messages to their relatives, showing the users their own faces and replacing the desktop background and mouse cursor with pictures of Navalny and penises. Viewers could see the victims' reaction through their webcam feeds. The livestreams continued regularly to around June 2017. The exact number of victims is unknown, and the identity of "OP" remains a mystery.
An Islamic State website was hacked in March 2017 to display a fake Adobe Flash Player update download, which instead downloaded the njRAT trojan.[6]
In January 2023, outbreaks of Trojan infections were seen in the Middle East. The attackers used .cab files with supposedly political conversation, when opened, they launched a .vbs script that downloaded malware from the cloud.[7]
Architecture
njRAT, like many Remote Access Trojans, works on the principle of a reverse backdoor, that is, it requires open ports on the attacker's computer. After creating the malware (client) and opening it, the attacker's server receives a request from the client side. After a successful connection, the attacker can control the victim's computer by sending commands to the server when the client part processes them.
Detections
Common antivirus tags for NjRAT are as follows:
- W32.Backdoor.Bladabindi
- Backdoor.MSIL.Bladabindi
- Backdoor/Win.NjRat.R512373
The standard version of the Trojan lacks encryption algorithms, which is why it can be easily detected by antivirus. However, an attacker can encrypt it manually, so that it will not be detected by popular antivirus software.