Skip to content

S0385 njRAT

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.2

Item Value
ID S0385
Associated Names Njw0rm, LV, Bladabindi
Version 1.4
Created 04 June 2019
Last Modified 16 September 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Njw0rm Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.1 Other sources contain that functionality in their description of njRAT itself.23
LV 2
Bladabindi 23

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols njRAT has used HTTP for C2 communications.3
enterprise T1010 Application Window Discovery njRAT gathers information about opened windows during the initial infection.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder njRAT has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\ and dropped a shortcut in %STARTUP%.23
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell njRAT has executed PowerShell commands via auto-run registry key persistence.3
enterprise T1059.003 Windows Command Shell njRAT can launch a command shell interface for executing commands.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers njRAT has a module that steals passwords saved in victim web browsers.234
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding njRAT uses Base64 encoding for C2 traffic.2
enterprise T1005 Data from Local System njRAT can collect data from a local system.2
enterprise T1568 Dynamic Resolution -
enterprise T1568.001 Fast Flux DNS njRAT has used a fast flux DNS for C2 IP resolution.3
enterprise T1041 Exfiltration Over C2 Channel njRAT has used HTTP to receive stolen information from the infected machine.3
enterprise T1083 File and Directory Discovery njRAT can browse file systems using a file manager module.2
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall njRAT has modified the Windows firewall to allow itself to communicate through the firewall.23
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion njRAT is capable of deleting files.23
enterprise T1070.009 Clear Persistence njRAT is capable of manipulating and deleting registry keys, including those used for persistence.3
enterprise T1105 Ingress Tool Transfer njRAT can download files to the victim’s machine.23
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging njRAT is capable of logging keystrokes.234
enterprise T1112 Modify Registry njRAT can create, delete, or modify a specified Registry key or value.23
enterprise T1106 Native API njRAT has used the ShellExecute() function within a script.3
enterprise T1571 Non-Standard Port njRAT has used port 1177 for HTTP C2 communications.3
enterprise T1027 Obfuscated Files or Information njRAT has included a base64 encoded executable.3
enterprise T1027.004 Compile After Delivery njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.3
enterprise T1120 Peripheral Device Discovery njRAT will attempt to detect if the victim system has a camera during the initial infection. njRAT can also detect any removable drives connected to the system.23
enterprise T1057 Process Discovery njRAT can search a list of running processes for Tr.exe.3
enterprise T1012 Query Registry njRAT can read specific registry values.3
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol njRAT has a module for performing remote desktop access.2
enterprise T1018 Remote System Discovery njRAT can identify remote hosts on connected networks.2
enterprise T1091 Replication Through Removable Media njRAT can be configured to spread via removable drives.23
enterprise T1113 Screen Capture njRAT can capture screenshots of the victim’s machines.3
enterprise T1082 System Information Discovery njRAT enumerates the victim operating system and computer name during the initial infection.2
enterprise T1033 System Owner/User Discovery njRAT enumerates the current user during the initial infection.2
enterprise T1125 Video Capture njRAT can access the victim’s webcam.24

Groups That Use This Software

ID Name References
G0143 Aquatic Panda 6
G0134 Transparent Tribe 7
G0140 LazyScripter 8
G0043 Group5 4
G0096 APT41 9
G0078 Gorgon Group 10