Backdoor-njRAT hides under VBScript

October 12, 2017

McAfee Labs recently observed a huge spike in njRAT. njRAT is a publicly available hacker tool which generates backdoors. McAfee detect these backdoor samples and its variant as MSIL/BackDoor-NJRat. Recently we have seen these njRAT PE files are hidden inside VBScript to evade detection. This backdoor captures keystrokes and stores in registry entry to hide from user and sends to C&C server including sensitive information of victim. Apart from these, it has capability to capture screenshots, download files, compressing files to upload, update, execute and many more.

Threat behavior

Installation

vb

In the above script, “etreytryrth” variable contains the payload of the executable. Once executed, it drops an executable rytr5674657gfhgjgj.eXe into “%temp”. Next, dropped file executed by concatenation of the variables aa1, aa2 and aa3 which is ws.Exec fn. fn holds dropped executable path.

Dropped file “rytr5674657gfhgjgj.eXe” is a .Net file and copies itself as “server.exe” in same location and then executes server.exe. Server.exe unpacks an archive file in memory which is present in .net resources and it is main malware “BackDoor-NJRat”. Below snippet shows the same:

zip

This backdoor having the following capabilities:

  1. Creates startup folder:

Server.exe copies itself as “C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aad952c23e9277d38b92a7eb927f1a6a.exe” in Startup folder.

  1. Adds Registry entry:

It adds auto-run registry entry as follows

HKU\Software\Microsoft\Windows\CurrentVersion\Run\aad952c23e9277d38b92a7eb927f1a6a: “”% Temp%\server.exe” ..”

And it adds following registry to mark its infection.

HKU\di: “!”

It adds following registry so that it can silently install or update and it disables all Zone checking.

HKU\Environment\SEE_MASK_NOZONECHECKS: “1”

  1. Key logging capabilities:

This malware captures key strokes and writes following registry.

HKCU\Software\ aad952c23e9277d38b92a7eb927f1a6a: “[kl]”

We can see keystrokes in registry key “[kl]” as below screenshot.

kl

  1. Sends sensitive information to C & C

It sends computer information like computer name, Current User, OS version and it has other functionalities like capturing screenshots, download, execute, updating files, uploading and so on.

vb2

  1. Disable Firewall:

It bypass firewall by command “netsh firewall add allowedprogram FILE_PATH ENABLE”

Generally malware authors evade detection by creating many threads simultaneously and also by creating handles of the malware file. The below snippet shows that the malware file (here server.exe) creates a handle for the dropped executable aad952c23e9277d38b92a7eb927f1a6a.exe. Also many server.exe threads are running.

hold

  1. Avoid termination:

It can make itself as a critical process to prevent detection. It causes BSOD if you terminate the critical process.

bsod

njRAT v0.7d hacker tool:njrat

Once victim got infected, hacker gets pop-up message of victim’s computer details of IP, computers name, OS and country. Above snippet shows the same.

Main payload never stored in system to avoid detection. McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect these dropped files as “Trojan-FJCW” or “Trojan-FIGN” and new VBScript sample detected as “VBS/BackDoor-NJRat”.

This post was prepared with the invaluable assistance of Diwakar Dinkar.

The post Backdoor-njRAT hides under VBScript appeared first on McAfee Blogs.