njRAT

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[1]

ID: S0385
Associated Software: Njw0rm, LV, Bladabindi
Type: MALWARE
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
Njw0rm Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.[4] Other sources contain that functionality in their description of njRAT itself.[1][3]
LV [1]
Bladabindi [1][3]

Techniques Used

Domain ID Name Use
Enterprise T1010 Application Window Discovery

njRAT gathers information about opened windows during the initial infection.[1]

Enterprise T1059 Command-Line Interface

njRAT can launch a command shell interface for executing commands.[1]

Enterprise T1503 Credentials from Web Browsers

njRAT has a module that steals passwords saved in victim web browsers.[1][3][2]

Enterprise T1094 Custom Command and Control Protocol

njRAT communicates to the C2 server using a custom protocol over TCP.[1]

Enterprise T1132 Data Encoding

njRAT uses Base64 encoding for C2 traffic.[1]

Enterprise T1005 Data from Local System

njRAT can collect data from a local system.[1]

Enterprise T1089 Disabling Security Tools

njRAT has modified the Windows firewall to allow itself to communicate through the firewall.[1]

Enterprise T1083 File and Directory Discovery

njRAT can browse file systems using a file manager module.[1]

Enterprise T1107 File Deletion

njRAT is capable of deleting files on the victim.[1]

Enterprise T1056 Input Capture

njRAT is capable of logging keystrokes.[1][3][2]

Enterprise T1112 Modify Registry

njRAT can create, delete, or modify a specified Registry key or value.[1][3]

Enterprise T1120 Peripheral Device Discovery

njRAT will attempt to detect if the victim system has a camera during the initial infection.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

njRAT has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.[1][3]

Enterprise T1076 Remote Desktop Protocol

njRAT has a module for performing remote desktop access.[1]

Enterprise T1105 Remote File Copy

njRAT can upload and download files to and from the victim’s machine.[1]

Enterprise T1018 Remote System Discovery

njRAT can identify remote hosts on connected networks.[1]

Enterprise T1091 Replication Through Removable Media

njRAT can be configured to spread via removable drives.[1]

Enterprise T1113 Screen Capture

njRAT can capture screenshots of the victim’s machines.[3]

Enterprise T1082 System Information Discovery

njRAT enumerates the victim operating system and computer name during the initial infection.[1]

Enterprise T1033 System Owner/User Discovery

njRAT enumerates the current user during the initial infection.[1]

Enterprise T1065 Uncommonly Used Port

njRAT has been observed communicating over uncommon TCP ports, including 1177 and 8282.[1][3][2]

Enterprise T1125 Video Capture

njRAT can access the victim's webcam.[1][2]

Groups That Use This Software

ID Name References
G0078 Gorgon Group [5]
G0043 Group5 [2]
G0096 APT41 [6]

References