Register to stream ATT&CKcon 2.0 October 29-30


njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.[1]

ID: S0385
Associated Software: Njw0rm, LV, Bladabindi
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
Njw0rm Some sources have discussed Njw0rm as a later variant of njRAT, where Njw0rm adds the ability to spread via removable devices such as USB drives.[4] Other sources contain that functionality in their description of njRAT itself.[1][3]
LV [1]
Bladabindi [1][3]

Techniques Used

Domain ID Name Use
Enterprise T1010 Application Window Discovery njRAT gathers information about opened windows during the initial infection. [1]
Enterprise T1059 Command-Line Interface njRAT can launch a command shell interface for executing commands. [1]
Enterprise T1094 Custom Command and Control Protocol njRAT communicates to the C2 server using a custom protocol over TCP. [1]
Enterprise T1132 Data Encoding njRAT uses Base64 encoding for C2 traffic. [1]
Enterprise T1005 Data from Local System njRAT can collect data from a local system. [1]
Enterprise T1089 Disabling Security Tools njRAT has modified the Windows firewall to allow itself to communicate through the firewall. [1]
Enterprise T1083 File and Directory Discovery njRAT can browse file systems using a file manager module. [1]
Enterprise T1107 File Deletion njRAT is capable of deleting files on the victim. [1]
Enterprise T1056 Input Capture njRAT is capable of logging keystrokes. [1] [3] [2]
Enterprise T1112 Modify Registry njRAT can create, delete, or modify a specified Registry key or value. [1] [3]
Enterprise T1120 Peripheral Device Discovery njRAT will attempt to detect if the victim system has a camera during the initial infection. [1]
Enterprise T1060 Registry Run Keys / Startup Folder njRAT has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\. [1] [3]
Enterprise T1076 Remote Desktop Protocol njRAT has a module for performing remote desktop access. [1]
Enterprise T1105 Remote File Copy njRAT can upload and download files to and from the victim’s machine. [1]
Enterprise T1018 Remote System Discovery njRAT can identify remote hosts on connected networks. [1]
Enterprise T1091 Replication Through Removable Media njRAT can be configured to spread via removable drives. [1]
Enterprise T1113 Screen Capture njRAT can capture screenshots of the victim’s machines. [3]
Enterprise T1082 System Information Discovery njRAT enumerates the victim operating system and computer name during the initial infection. [1]
Enterprise T1033 System Owner/User Discovery njRAT enumerates the current user during the initial infection. [1]
Enterprise T1065 Uncommonly Used Port njRAT has been observed communicating over uncommon TCP ports, including 1177 and 8282. [1] [3] [2]
Enterprise T1125 Video Capture njRAT can access the victim's webcam. [1] [2]

Groups That Use This Software

ID Name References
G0078 Gorgon Group [5]
G0043 Group5 [2]