S0385 njRAT

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.²

Item	Value
ID	S0385
Associated Names	Njw0rm, LV, Bladabindi
Type	MALWARE
Version	1.4
Created	04 June 2019
Last Modified	16 September 2022
Navigation Layer	View In ATT&CK® Navigator

Associated Software Descriptions

Name	Description
Njw0rm	Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.¹ Other sources contain that functionality in their description of njRAT itself.²³
LV	²
Bladabindi	²³

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	njRAT has used HTTP for C2 communications.³
enterprise	T1010	Application Window Discovery	njRAT gathers information about opened windows during the initial infection.²
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.001	Registry Run Keys / Startup Folder	njRAT has added persistence via the Registry key `HKCU\Software\Microsoft\CurrentVersion\Run\` and dropped a shortcut in `%STARTUP%`.²³
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.001	PowerShell	njRAT has executed PowerShell commands via auto-run registry key persistence.³
enterprise	T1059.003	Windows Command Shell	njRAT can launch a command shell interface for executing commands.²
enterprise	T1555	Credentials from Password Stores	-
enterprise	T1555.003	Credentials from Web Browsers	njRAT has a module that steals passwords saved in victim web browsers.²³⁴
enterprise	T1132	Data Encoding	-
enterprise	T1132.001	Standard Encoding	njRAT uses Base64 encoding for C2 traffic.²
enterprise	T1005	Data from Local System	njRAT can collect data from a local system.²
enterprise	T1568	Dynamic Resolution	-
enterprise	T1568.001	Fast Flux DNS	njRAT has used a fast flux DNS for C2 IP resolution.³
enterprise	T1041	Exfiltration Over C2 Channel	njRAT has used HTTP to receive stolen information from the infected machine.³
enterprise	T1083	File and Directory Discovery	njRAT can browse file systems using a file manager module.²
enterprise	T1562	Impair Defenses	-
enterprise	T1562.004	Disable or Modify System Firewall	njRAT has modified the Windows firewall to allow itself to communicate through the firewall.²³
enterprise	T1070	Indicator Removal	-
enterprise	T1070.004	File Deletion	njRAT is capable of deleting files.²³
enterprise	T1070.009	Clear Persistence	njRAT is capable of manipulating and deleting registry keys, including those used for persistence.³
enterprise	T1105	Ingress Tool Transfer	njRAT can download files to the victim’s machine.²³
enterprise	T1056	Input Capture	-
enterprise	T1056.001	Keylogging	njRAT is capable of logging keystrokes.²³⁴
enterprise	T1112	Modify Registry	njRAT can create, delete, or modify a specified Registry key or value.²³
enterprise	T1106	Native API	njRAT has used the ShellExecute() function within a script.³
enterprise	T1571	Non-Standard Port	njRAT has used port 1177 for HTTP C2 communications.³
enterprise	T1027	Obfuscated Files or Information	njRAT has included a base64 encoded executable.³
enterprise	T1027.004	Compile After Delivery	njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.³
enterprise	T1120	Peripheral Device Discovery	njRAT will attempt to detect if the victim system has a camera during the initial infection. njRAT can also detect any removable drives connected to the system.²³
enterprise	T1057	Process Discovery	njRAT can search a list of running processes for Tr.exe.³
enterprise	T1012	Query Registry	njRAT can read specific registry values.³
enterprise	T1021	Remote Services	-
enterprise	T1021.001	Remote Desktop Protocol	njRAT has a module for performing remote desktop access.²
enterprise	T1018	Remote System Discovery	njRAT can identify remote hosts on connected networks.²
enterprise	T1091	Replication Through Removable Media	njRAT can be configured to spread via removable drives.²³
enterprise	T1113	Screen Capture	njRAT can capture screenshots of the victim’s machines.³
enterprise	T1082	System Information Discovery	njRAT enumerates the victim operating system and computer name during the initial infection.²
enterprise	T1033	System Owner/User Discovery	njRAT enumerates the current user during the initial infection.²
enterprise	T1125	Video Capture	njRAT can access the victim’s webcam.²⁴

Groups That Use This Software

ID	Name	References
G0143	Aquatic Panda	⁶
G0134	Transparent Tribe	⁷
G0140	LazyScripter	⁸
G0043	Group5	⁴
G0096	APT41	⁹
G0078	Gorgon Group	¹⁰

References

Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019. ↩
Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: “njRAT” Uncovered. Retrieved June 4, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. ↩↩↩↩
M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. ↩
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. ↩
Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. ↩
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. ↩