More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

NjRAT (also known as Bladabindi) malware is a Remote Access Trojan (RAT) that was first discovered in 2012. This malware strain has persisted in the threat landscape up to the present day, most recently earning notoriety for its active campaigns against agencies and organizations located in the Middle East and North Africa. Upon successful infiltration into a target host or system, NjRAT can allow the attacker to remotely access and exercise control over the compromised system. Typical entry points for NjRAT include phishing attacks, infected removable drives, drive-by downloads, and interactions with other malicious software.

Throughout the first two quarters of this year, the Spamhaus Botnet Threat Update (Q1, Q2) has consistently featured this malware family within its list of the top 20 malware families linked to botnet Command and Controls (C&C). More recently, in July 2023, the Computer Emergency Response Team of Ukraine published an article shedding light on the UAC-0057 Group's utilization of PicassoLoader and NjRAT as integral components of their cyberattacks.

In this blog, the Splunk Threat Research Team (STRT) provides a deep dive analysis of this threat, including:

• Known Script Loader
• Threat Analysis and Capabilities
• NJRAT Configuration
• Known Capabilities
• FileLess Storage
• Disable or Modify System Firewall
• NjRAT MBR Killer Variant Analysis

Familiar Script Loader of njRAT

To this day, threat actors continue to employ VBScript as a means to introduce NjRAT onto the target host or system. This loader operates by copying itself within the Windows %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup folder, thereby ensuring persistence within the compromised host. Figure 1 illustrates its initialization process, wherein it establishes a reverse string folder path leading to the startup folder. This path is used to execute a PowerShell script, deliberately introducing a delay via the 'ping.exe' command. This delay tactic serves as an evasion technique, designed to confound certain sandboxes or detection mechanisms reliant on execution time.

^{Figure 1: NjRAT loader adding persistence}

The powershell script is the actual loader of NjRAT that will decode a base 64 encoded executable (in this case NjRAT malware) and execute it. Figure 2 is the command line of the powershell child process of VBScript loading the NjRAT.

^{Figure 2: powershell loader}

Using CyberChef we can easily extract the actual NjRAT executable for analysis.

^{Figure 2.1: Decoded payload}

Threat Analysis and Capabilities

NJRAT Configuration

During our analysis the STRT identified that NjRAT places its configuration setting that contains the file name of its process, registry run keys, C2 server, port and many more in the “.cctor”  (class constructor), which is a special method, also known as a type initializer. This class is automatically called by the runtime to initialize the static members of a class before any static methods or fields are accessed, and before any instance of the class is created.

To determine if this pattern holds true for other active instances of NjRAT, the STRT conducted an analysis and test. We downloaded over 150+ of the latest malware samples from malware bazaar and developed a Python script tool tailored to extract the configuration details. This process enabled us to identify potential C2 servers, port numbers, registry run keys, and encoded strings within the configuration code.

NjRAT's configuration settings exhibit varying structures and formats with each new version, often characterized by randomized variable names. Consequently, comprehensively tagging all configuration fields can be challenging unless these variables can be correlated with their corresponding code segments.

In Demo 3.0 and Figures 3.1 and 3.2, using the tool njrat_config_viewer.py we tagged all possible strings from the extracted .net CIL configuration settings of the NjRAT samples we analyzed to generate basic statistics for each tag, with the goal of identifying commonalities within the configurations across all the analyzed samples.

Our data reveals that NjRAT is actively utilizing duckdns.org, ngrok.io, discord, pastebin and textbin.net as C2 servers. Additionally, it relies on the commonplace registry run key for persistence and employs base64 encoding in some of its variants to obfuscate the configuration settings.

^{Figure 3.1: Configuration String Stats}

In our analysis of the malware sample set, we observed a prevalent pattern where the malware frequently utilizes 'svchost.exe' as the dropped filename and relies on Registry Run keys for achieving persistence.

^{Figure 3.2: Configuration String Stat}

Known Capabilities

NjRAT boasts a multitude of capabilities designed for commanding and extracting sensitive data from the compromised host. These encompass the ability to manipulate files, processes, services, and registries, as well as to establish remote connections, capture screens, utilize keyloggers, mic recording and much more.

^{Figure 4: NjRAT Features} 

Figure 5 captures a screenshot of NjRAT providing a glimpse into the desktop environment of the compromised host. This functionality is initiated through a .dll module plugin fetched from its server and subsequently executed on the compromised host.

^{Figure 5.1 reveals the NjRAT server's interface, showcasing the keylogged data collected from the compromised host.}

^{Figure 5.1: Keylogger} 

Fileless Storage

One interesting characteristic of this RAT malware is its fileless storage approach. NjRAT stores keylogged data within a registry key named “[kl].” Moreover, when the server dispatches a .dll plugin to its client component for execution on the compromised host, the client-side component of NjRAT avoids saving it as a file. Instead, it stores the plugin within the registry, which can be queried and loaded as needed to perform specific tasks or features.

^{Figure 6: Fileless Storage}

Disable or Modify System Firewall

The STRT also observed the ability of NjRAT to impair defense by disabling or modifying the settings of the firewall of the compromised system. Figure 7 shows the screenshots of its code responsible for modifying the system's firewall settings during the installation process.

^{Figure 7: firewall modification}

Now, let's take a deep dive into a specific NjRAT variant distinguished by its capability to wipe out or destroy the Master Boot Record (MBR) of the compromised host.

NjRAT MBR Killer Variant Analysis

Figure 8 is the initial information of the NjRAT sample we’ve analyzed that contains MBR wiper. We can see the timestamp of the file is “August 28,2023” and compiled with VB .NET.

^{Figure 8: Detect It Easy Info}

Disable or Modify Tools

Upon checking the entrypoint of this malware sample, it will attempt to execute several functions enabled from its configuration settings. Like persistence through registry, shutting down its bot client via taskkill application and killing several security product/tools/sandbox processes.

^{Figure 9: Security Processes Termination}

Account Discovery

It employs an interesting method to ascertain whether its process possesses administrative privileges. This involves an attempt to create a file named 'win.dat' in the C:\ directory. The success or failure of this file creation serves as an indicator: if the file is created, it indicates that the current process token has admin rights; otherwise, it does not.

^{Figure 10: admin privilege check}

Replication Through Removable Media

This variant also has a capability of spreading itself via removable drives that got infected because it was connected to the compromised host.

^{Figure 11: worm behavior}

Bypass User Account Control

It is also capable of bypassing the Windows OS User Account Control (UAC) security feature to elevate process privileges on the compromised system. NjRAT abuses the registry checks by eventvwr.exe to look for the location of mmc.exe which is used to open the eventvwr.msc saved console file. By strategically placing the NjRAT file path within this registry entry, it can execute as a high-integrity process without triggering a UAC prompt for the user.

^{Figure 12: UAC Bypass}

Persistence

In addition to the familiar Registry Run Key usage observed in NjRAT's configuration settings, NjRAT also initiates the deployment of a copy of itself in the Windows startup folder. Alongside this copy, a .url file is dropped, which references the copied executable as 'EdgeUpdater.exe,' ensuring automatic execution during the compromised host's bootup.

^{Figure 13: drop copy in startup folder}

Disk Wipe

In addition to its standard keylogging functionality, this particular variant of NjRAT possesses the ability to carry out a highly destructive action: wiping or destroying the Master Boot Record (MBR). When this NjRAT malware variant receives a command string, such as 'FuckMBR' from its C2 server, it proceeds to overwrite the actual MBR code, located within the '\\.\PhysicalDrive0' partition, with a customized boot sector embedded within its code. This malicious action renders the compromised host non-bootable, replacing the boot process with a message indicating that the system has been infected.

^{Figure 14: MBR Wiper}

One could force the execution of this function to simulate this technique for detection, or alternatively, just copy the MBR embedded to its code and use the MBR-Rewind tool to overwrite and restore back the boot sector of your test lab during your testing and detection development.

^{Figure 15: MBR payload}

NjRAT also capable of collecting system information like hostname, username, OS version, Antivirus product installed in targeted host by executing “Select * From AntiVirusProduct” and OS architecture. Below is a table listing of notable commands we have observed, each designed to execute a specific task or payload on the compromised host.

Detections

The Splunk Threat Research Team has curated relevant detections and tagged them to the NjRAT Analytic Story to help security analysts detect adversaries leveraging the malware. 

This release used and considered the relevant data endpoint telemetry sources such as:

• Process Execution & Command Line Logging
• Windows Security SACL Event ID, Sysmon, or any Common Information Model compliant EDR technology
• Windows Security Event Log
• Windows System Event Log
• Windows PowerShell Script Block Logging 

As an example, the analytic Windows Njrat Fileless Storage via Registry identifies a suspicious registry modification associated with NjRat, a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry 
  where Registry.registry_path="*\\[kl]" OR  Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*")
  by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name
  | `drop_dm_object_name(Registry)` 
  | `security_content_ctime(lastTime)`
  | `security_content_ctime(firstTime)` 

The analytic Windows Executable in Loaded Modules identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. 

`sysmon` EventCode=7 ImageLoaded= *.exe
  | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH 
  | rename Computer as dest 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 

The analytic Windows Admin Permission Discovery identifies suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. 

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem 
  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") 
  by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name Filesystem.file_path Filesystem.user 
  | `drop_dm_object_name(Filesystem)` 
  | eval dropped_file_path = split(file_path, "\\") 
  | eval dropped_file_path_split_count = mvcount(dropped_file_path) 
  | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2  
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 

Overall, the NjRAT analytic story introduces 35 detections across MITRE ATT&CK techniques. 

Indicators of Compromise (IOC)

https://gist.github.com/tccontre/4013f4d54d294d6f21efc616b7dafbea

Playbooks

Non-hunting detections associated with this analytic story create entries by default in the Splunk Enterprise Security risk index which can be used seamlessly with risk notables and the Risk Notable Playbook Pack. Additionally, the Automated Enrichment playbook pack also works well with the output of any of these analytics.

Why Should You Care?

This blog helps security analysts, blue teamers and Splunk customers to identify NjRAT malware by enabling the community to discover the NjRAT tactics, techniques and procedures being used by threat actors and adversaries. By understanding its behaviors, the Splunk Threat Research Team was able to generate telemetry and datasets to develop and test Splunk detections which are designed to help defend and respond against this threat.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions including Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and Patrick Bareiss.