NJRat Trojan Returns To Life, Warns PhishMe

Tom Jowitt,
cyber security

A remote access trojan, last seen a year ago, is making a reappearance warns security researcher

A security researcher has warned that a remote access trojan called NJRat, seems to be returning from the dead.

The warning came from security specialist PhishMe, which found evidence that the malware is making a comeback.

NJRat Returns

The warning was made by PhishMe’s senior researcher Ronnie Tokazowski in a blog posting.

“NJRat is a remote-access Trojan that has been used for the last few years. We haven’t heard much about NJRat since April 2014, but some samples we’ve recently received show that this malware is making a comeback,” he blogged.

Tokazowski said that he had examined recent messages and the malware within, and discovered that the executable element had been compiled with .NET 4.0.

Botnet“This is worth mentioning because most of the malware today is written in C/C++,” he warned. “The biggest benefit for malware to be written in .NET is that it can be difficult to decode and see what is truly going on. While the .NET code can be decompiled back to the original code (not 100%, but closer than most), regular analysis techniques can throw off analysis, as the code is different. This is why we often have to rely on dynamic analysis, or just double-clicking the file, for .NET analysis.”

So what nastiness does NJRat contain? Well, once the malware runs, it copies itself onto the victim’s machine and begins to attempt connections with the outside world.

“The IP address appears to be part of VPN infrastructure,” he wrote. “Based off of the analysis from the Fidelis article, the VPN infrastructure and no-IP dynamic DNS matches up very well. VPN references also match up with one of the two NJRat Facebook pages…”

NJRat made headlines last year, as the malware was mostly used by hackers in the Middle East. It was used to attack governmental and civilian targets in the Middle East and North Africa. Symantec reportedly said at the time that njRAT was similar in capability to remote access tools (RATs) used to control botnets, but njRAT differed from other RAT malware due to its level of support and development by Arabic speakers.

It also apparently infected up to 20,000 machines at its height.

In August last year, a group calling itself the Syrian Malware Team (SMT) was spotted carrying out attacks using the sophisticated BlackWorm Remote Access Tool (RAT), with one of the members thought to be responsible for its creation.

What do you know about famous hackers? Take our quiz!