SECURITY

More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities

NjRAT (also known as Bladabindi) malware is a Remote Access Trojan (RAT) that was first discovered in 2012. This malware strain has persisted in the threat landscape up to the present day, most recently earning notoriety for its active campaigns against agencies and organizations located in the Middle East and North Africa. Upon successful infiltration into a target host or system, NjRAT can allow the attacker to remotely access and exercise control over the compromised system. Typical entry points for NjRAT include phishing attacks, infected removable drives, drive-by downloads, and interactions with other malicious software.

Throughout the first two quarters of this year, the Spamhaus Botnet Threat Update (Q1, Q2) has consistently featured this malware family within its list of the top 20 malware families linked to botnet Command and Controls (C&C). More recently, in July 2023, the Computer Emergency Response Team of Ukraine published an article shedding light on the UAC-0057 Group's utilization of PicassoLoader and NjRAT as integral components of their cyberattacks.

In this blog, the Splunk Threat Research Team (STRT) provides a deep dive analysis of this threat, including:

  • Known Script Loader
  • Threat Analysis and Capabilities
  • NJRAT Configuration
  • Known Capabilities
  • FileLess Storage
  • Disable or Modify System Firewall
  • NjRAT MBR Killer Variant Analysis

Familiar Script Loader of njRAT

To this day, threat actors continue to employ VBScript as a means to introduce NjRAT onto the target host or system. This loader operates by copying itself within the Windows %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup folder, thereby ensuring persistence within the compromised host. Figure 1 illustrates its initialization process, wherein it establishes a reverse string folder path leading to the startup folder. This path is used to execute a PowerShell script, deliberately introducing a delay via the 'ping.exe' command. This delay tactic serves as an evasion technique, designed to confound certain sandboxes or detection mechanisms reliant on execution time.

Figure 1: NjRAT loader adding persistence

The powershell script is the actual loader of NjRAT that will decode a base 64 encoded executable (in this case NjRAT malware) and execute it. Figure 2 is the command line of the powershell child process of VBScript loading the NjRAT.

Figure 2: powershell loader

Using CyberChef we can easily extract the actual NjRAT executable for analysis.

Figure 2.1: Decoded payload

Threat Analysis and Capabilities

NJRAT Configuration

During our analysis the STRT identified that NjRAT places its configuration setting that contains the file name of its process, registry run keys, C2 server, port and many more in the “.cctor”  (class constructor), which is a special method, also known as a type initializer. This class is automatically called by the runtime to initialize the static members of a class before any static methods or fields are accessed, and before any instance of the class is created.

To determine if this pattern holds true for other active instances of NjRAT, the STRT conducted an analysis and test. We downloaded over 150+ of the latest malware samples from malware bazaar and developed a Python script tool tailored to extract the configuration details. This process enabled us to identify potential C2 servers, port numbers, registry run keys, and encoded strings within the configuration code.

NjRAT's configuration settings exhibit varying structures and formats with each new version, often characterized by randomized variable names. Consequently, comprehensively tagging all configuration fields can be challenging unless these variables can be correlated with their corresponding code segments.

In Demo 3.0 and Figures 3.1 and 3.2, using the tool njrat_config_viewer.py we tagged all possible strings from the extracted .net CIL configuration settings of the NjRAT samples we analyzed to generate basic statistics for each tag, with the goal of identifying commonalities within the configurations across all the analyzed samples.

Our data reveals that NjRAT is actively utilizing duckdns.org, ngrok.io, discord, pastebin and textbin.net as C2 servers. Additionally, it relies on the commonplace registry run key for persistence and employs base64 encoding in some of its variants to obfuscate the configuration settings.

Figure 3.1: Configuration String Stats

In our analysis of the malware sample set, we observed a prevalent pattern where the malware frequently utilizes 'svchost.exe' as the dropped filename and relies on Registry Run keys for achieving persistence.

Figure 3.2: Configuration String Stat

Known Capabilities

NjRAT boasts a multitude of capabilities designed for commanding and extracting sensitive data from the compromised host. These encompass the ability to manipulate files, processes, services, and registries, as well as to establish remote connections, capture screens, utilize keyloggers, mic recording and much more.

Figure 4: NjRAT Features 

Figure 5 captures a screenshot of NjRAT providing a glimpse into the desktop environment of the compromised host. This functionality is initiated through a .dll module plugin fetched from its server and subsequently executed on the compromised host.

Figure 5.1 reveals the NjRAT server's interface, showcasing the keylogged data collected from the compromised host.

Figure 5.1: Keylogger 

Fileless Storage

One interesting characteristic of this RAT malware is its fileless storage approach. NjRAT stores keylogged data within a registry key named “[kl].” Moreover, when the server dispatches a .dll plugin to its client component for execution on the compromised host, the client-side component of NjRAT avoids saving it as a file. Instead, it stores the plugin within the registry, which can be queried and loaded as needed to perform specific tasks or features.

Figure 6: Fileless Storage

Disable or Modify System Firewall

The STRT also observed the ability of NjRAT to impair defense by disabling or modifying the settings of the firewall of the compromised system. Figure 7 shows the screenshots of its code responsible for modifying the system's firewall settings during the installation process.

Figure 7: firewall modification

Now, let's take a deep dive into a specific NjRAT variant distinguished by its capability to wipe out or destroy the Master Boot Record (MBR) of the compromised host.

NjRAT MBR Killer Variant Analysis

Figure 8 is the initial information of the NjRAT sample we’ve analyzed that contains MBR wiper. We can see the timestamp of the file is “August 28,2023” and compiled with VB .NET.

Figure 8: Detect It Easy Info

Disable or Modify Tools

Upon checking the entrypoint of this malware sample, it will attempt to execute several functions enabled from its configuration settings. Like persistence through registry, shutting down its bot client via taskkill application and killing several security product/tools/sandbox processes.

Figure 9: Security Processes Termination

Account Discovery

It employs an interesting method to ascertain whether its process possesses administrative privileges. This involves an attempt to create a file named 'win.dat' in the C:\ directory. The success or failure of this file creation serves as an indicator: if the file is created, it indicates that the current process token has admin rights; otherwise, it does not.

Figure 10: admin privilege check

Replication Through Removable Media

This variant also has a capability of spreading itself via removable drives that got infected because it was connected to the compromised host.

Figure 11: worm behavior

Bypass User Account Control

It is also capable of bypassing the Windows OS User Account Control (UAC) security feature to elevate process privileges on the compromised system. NjRAT abuses the registry checks by eventvwr.exe to look for the location of mmc.exe which is used to open the eventvwr.msc saved console file. By strategically placing the NjRAT file path within this registry entry, it can execute as a high-integrity process without triggering a UAC prompt for the user.

Figure 12: UAC Bypass

Persistence

In addition to the familiar Registry Run Key usage observed in NjRAT's configuration settings, NjRAT also initiates the deployment of a copy of itself in the Windows startup folder. Alongside this copy, a .url file is dropped, which references the copied executable as 'EdgeUpdater.exe,' ensuring automatic execution during the compromised host's bootup.

Figure 13: drop copy in startup folder

Disk Wipe

In addition to its standard keylogging functionality, this particular variant of NjRAT possesses the ability to carry out a highly destructive action: wiping or destroying the Master Boot Record (MBR). When this NjRAT malware variant receives a command string, such as 'FuckMBR' from its C2 server, it proceeds to overwrite the actual MBR code, located within the '\\.\PhysicalDrive0' partition, with a customized boot sector embedded within its code. This malicious action renders the compromised host non-bootable, replacing the boot process with a message indicating that the system has been infected.

Figure 14: MBR Wiper

One could force the execution of this function to simulate this technique for detection, or alternatively, just copy the MBR embedded to its code and use the MBR-Rewind tool to overwrite and restore back the boot sector of your test lab during your testing and detection development.

Figure 15: MBR payload

NjRAT also capable of collecting system information like hostname, username, OS version, Antivirus product installed in targeted host by executing “Select * From AntiVirusProduct” and OS architecture. Below is a table listing of notable commands we have observed, each designed to execute a specific task or payload on the compromised host.

 

String Command

Task

“CloseCD” or “OpenCD”

Close CD or Open CD

UACbyp

UAC Bypassed by using mmc.exe

Piano

Customize beep sequence

FuckMBR

MBR Slayer/Wiper

Runas

Run with admin privilege

bsod

Raise exception

persis

Persistence mechanism

checkin

Check admin rights

schedtasks

Create scheduled task (Schtasks /create /tn )

unschedtasks

Delete scheduled task (Schtasks /delete /tn )

spreadusbme

Spread to removable drives

“restartme” or “rst”

“Shutdown -r -t 00 -f” or “shutdown /r /t 00”

“shutdowm” or “sht”

“Shutdown -s -t 00 -f” or “shutdown /s /t 00”

speech

Launch text-to-speech synthesis

“HideTask” or “ShowTask”

Hide show tray window task

“HideDesk” or “Showdesk”

hide/show progman window

lof

Log off - “shutdown /l /f”

botk

Bot killer. Kill its bot client

SoundUp

Zip and send the recorded scream.wav file

Detections

The Splunk Threat Research Team has curated relevant detections and tagged them to the NjRAT Analytic Story to help security analysts detect adversaries leveraging the malware. 

This release used and considered the relevant data endpoint telemetry sources such as:

  • Process Execution & Command Line Logging
  • Windows Security SACL Event ID, Sysmon, or any Common Information Model compliant EDR technology
  • Windows Security Event Log
  • Windows System Event Log
  • Windows PowerShell Script Block Logging 

As an example, the analytic Windows Njrat Fileless Storage via Registry identifies a suspicious registry modification associated with NjRat, a telltale sign of its fileless technique. NjRat employs this method to manage its keylogs and execute downloaded DLL module plugins discreetly on the compromised host.

 

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry 
  where Registry.registry_path="*\\[kl]" OR  Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*")
  by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data Registry.registry_key_name Registry.registry_value_name
  | `drop_dm_object_name(Registry)` 
  | `security_content_ctime(lastTime)`
  | `security_content_ctime(firstTime)` 

The analytic Windows Executable in Loaded Modules identifies potentially malicious 'ImageLoaded' events, particularly when they involve executable files. This behavior was observed in NjRAT instances, where, during each instance of loading a module from its C2 server onto the compromised host, Sysmon recorded the path of the actual Image or Process as an 'ImageLoaded' event, rather than the typical tracking of dynamically loaded DLL modules in memory. This event holds significance because it tracks processes that load modules and libraries, which are typically in the .dll format rather than .exe. 

`sysmon` EventCode=7 ImageLoaded= *.exe
  | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH 
  | rename Computer as dest 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 

The analytic Windows Admin Permission Discovery identifies suspicious file creation in the root drive (C:\). This tactic was observed in NjRAT as a means to ascertain whether its malware instance running on the compromised host possesses administrative privileges. 

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem 
  where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") 
  by Filesystem.file_create_time Filesystem.process_id  Filesystem.file_name Filesystem.file_path Filesystem.user 
  | `drop_dm_object_name(Filesystem)` 
  | eval dropped_file_path = split(file_path, "\\") 
  | eval dropped_file_path_split_count = mvcount(dropped_file_path) 
  | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2  
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 

Overall, the NjRAT analytic story introduces 35 detections across MITRE ATT&CK techniques. 

Indicators of Compromise (IOC)

https://gist.github.com/tccontre/4013f4d54d294d6f21efc616b7dafbea

Playbooks

Non-hunting detections associated with this analytic story create entries by default in the Splunk Enterprise Security risk index which can be used seamlessly with risk notables and the Risk Notable Playbook Pack. Additionally, the Automated Enrichment playbook pack also works well with the output of any of these analytics.

Playbook

Description

Automated Enrichment 

Moves the event status to open and then launches the Dispatch playbooks for Reputation Analysis, Attribute Lookup, and Related Tickets.

Identifier Reputation Analysis Dispatch

Detects available indicators and routes them to indicator reputation analysis playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags.

Attribute Lookup Dispatch

Detects available entities and routes them to attribute lookup playbooks. The output of the playbooks will create new artifacts for any technologies that return information.

Related Ticket Search Dispatch

Detects available indicators and routes them to dispatch related ticket search playbooks. The output of the analysis will update any artifacts, tasks, and indicator tags.

Why Should You Care?

This blog helps security analysts, blue teamers and Splunk customers to identify NjRAT malware by enabling the community to discover the NjRAT tactics, techniques and procedures being used by threat actors and adversaries. By understanding its behaviors, the Splunk Threat Research Team was able to generate telemetry and datasets to develop and test Splunk detections which are designed to help defend and respond against this threat.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team for their contributions including Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and Patrick Bareiss.

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS
Show All Tags
Show Less Tags