Unmasking the activities of a low-level threat actor using njRat

This blog was written by Sam Stoneley, SenseOn Security Analyst.

SenseOn has investigated an njRAT infection as part of our threat intelligence efforts.

In this article, one of our cybersecurity analysts explores the following:

• How njRAT threat actors operate.
• Useful TTPs associated with njRAT.
• Other unique insights.

Read on to see how our team leveraged SenseOn’s advanced telemetry to present security researchers and professionals with a new level of insight into the njRAT attack chain.

What is njRAT?

njRAT (also known as Bladabindi) is a variant of Remote Access Trojan (RAT) that allows a remote hacker to gain unauthorised access to a victim’s computer or device.

Once the attacker has successfully infiltrated the system, they can carry out a wide range of malicious activities – for example, collect information about the infected PC, like its operating system number, steal cryptocurrencies, download files, and add the victim’s computer to a botnet – without the victim’s knowledge or consent.

njRAT provides the attacker with complete control over the victim’s computer. This includes accessing and manipulating any files or programs on the infected device. Because njRAT also acts as a keylogger, the attacker can log keystrokes to capture sensitive information such as usernames, passwords, and credit card numbers.

njRAT can also capture screenshots of the victim’s computer screen. This can give the attacker the ability to monitor the victim’s online communications and activity on web browsers.

In addition, the njRAT trojan can take control of a victim’s webcam and microphone, which can be particularly invasive. The attacker can use this feature to record audio and video and even engage in blackmail or other forms of cybercrime.

njRAT can spread via phishing attacks and spam campaigns on Discord as well as through compromised websites where users are tricked into downloading malicious files instead of product software updates. It can use techniques like obfuscation to avoid detection by security tools like firewalls and antivirus software.

The latest njRAT campaign was seen targeting victims in North Africa and the Middle East.

Sample Background

For this malware analysis, SenseOn analysts obtained an njRAT sample using open-source methods and performed static analysis on the file. This allowed analysts to identify similar executables utilising ‘ply[.]gg’ C2 domains. The ‘ply[.]gg’ appears to be a common infrastructure used by the threat actors behind this strain of njRAT.

Initial Access

Analysts executed the sample in a sandbox environment as part of our dynamic analysis. The sample used was named ‘Registry.exe’ with the hash ‘f0971708051fea3714f044c86e0265e9f6982cbc653c2e51f1735a9b8468deab’.

Upon running the file, SenseOn identified the executable had been copied to the ‘C:\Windows\’ directory. A scheduled task was created shortly after, under the name ‘MicrosoftEdgeUpdateTaskMachine’, to execute the malicious ‘Registry.exe’ file.

Analysing the scheduled task entries in the SenseOn platform, we can see this was executed around every minute. This behaviour aligns with the concept of ‘beaconing’, a technique commonly employed by malware to establish regular communication or signal its presence to a remote server.

The purpose of this scheduled task was to check if the Command and Control (C2) server was live and call home. This conclusion was drawn based on consistent connections being made to C2 domains each time the task was executed. These connections indicated a clear intent to establish a reliable channel of communication between the infected machine and the C2 server.

By continuously checking the server’s live status, the threat actor ensured seamless communication and potential remote control over the compromised system.

In addition to the scheduled task, a startup item named ‘Registry.exe’ was also created to maintain persistence on the machine. The startup item was located in the registry path ‘\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’.

This IoC was consistent across other infections of the njRAT malware.

In this campaign, C2 requests were sent to ‘secure-reach[.]at[.]ply[.]gg’ every time the scheduled task was executed. The domain ‘play[.]gg’ is a service that provides an alternative to port forwarding, primarily for game servers like Minecraft, but attackers have been abusing this service to host malware. SenseOn analysts identified other njRAT infections beaconing to ‘ply[.]gg’ domains, which is likely related to this strain.

Initially, the C2 connections were unsuccessful. However, the server came online during hands-on keyboard activity by the attacker. Beaconing activity would be difficult to detect as no data is transferred most of the time, extending the potential lifespan of the C2 server.

Performing an Nmap scan against the associated IP address and specified port revealed that the port associated with this server was open. However, the service running on that port remained unidentified.

Hands-on keyboard

SenseOn analysts left the sample running in the sandbox for several days in case the C2 server came online. During this period, they closely monitored the device for any signs of interaction or unusual behaviour. Upon analysing the network telemetry data, analysts observed a surge of successful connections occurring specifically between 9 PM and 4 AM UTC.

With the C2 server active, an Nmap scan was again performed. This scan successfully identified the service running as njRAT.

The real-time activity of the njRAT threat actors was observed using the SenseOn platform. In the attacker’s first connection, the malicious registry program executed ‘cmd.exe’, providing the attacker with shell access to the device.

SenseOn also identified the threat actor had opened ‘control.exe’ on the infected machine. This program, also known as the Control Panel, provides access to a range of system settings and configurations, including user accounts, hardware and device settings, and security options.

The executed process initiated by the attacker had been launched through Windows Explorer. This method of execution suggests a possible connection via a remote access tool allowing visual interaction and control over the device.

The attacker’s use of ‘control.exe’ suggests that they were attempting to manipulate these settings to gain greater control over the infected system. Such actions might include creating new user accounts, disabling security features, or modifying system settings to make the machine more vulnerable to future attacks.

The attacker was later seen opening the Microsoft Edge browser and visiting numerous open-source IP address lookup sites. By visiting this site, the attacker was likely attempting to determine the external IP address of the infected machine. This could be used to identify the victim organisation and a potential target for further attacks.

Based on the browser history, we can see that the threat actor had also visited Steam, a popular gaming platform. This activity strongly suggests that their intention was to obtain in-game purchases or gain access to gaming applications available on the platform.

SenseOn observed the attacker execute the Microsoft Support Diagnostic Tool (msdt.exe) through Explorer. Analysts determined that the attacker used this tool to troubleshoot sound drivers on the compromised machine, as indicated by the commands passed into the program.

The final activity identified was the attacker executing a process named ‘e47a31bd985a423c9b525a2d988d8c6e.exe’, with the parent process being ‘Registry.exe’.

This had likely been uploaded through the njRAT tool. The unusual executable appears to have failed to execute due to Windows Defender blocking the execution. SenseOn observed the attacker attempting to use Task Manager (taskmgr.exe) to verify the process was running.

After the unsuccessful execution, SenseOn analysts did not detect any additional hands-on activity from the attacker and closed the investigation. It’s possible that the attacker discovered the environment was a sandbox and abandoned the attempt since the payload failed to execute.

Time of Day Analysis

Examining the active network connections, time of day analysis suggests that the threat actor was consistently active between 9 PM and 3 AM UTC. These findings indicate that the attacker is likely based in The Americas region. Taking Brazil as an example, which aligns with a UTC-3 timezone, the corresponding active hours in this region would be between 7 PM and midnight.

The activity performed on the sandbox machine strongly suggests that this is a low-level threat actor. The nature of their hands-on actions primarily revolves around acquiring in-game content, such as character skins, indicating a focus on gaming-related objectives. Moreover, the active hours of the actor align with the end of their workday, suggesting that they are available during this time to engage in direct activity on compromised systems.

The alignment between the attacker’s active hours and the specific nature of their actions strengthens the hypothesis that the individual in question is a low-level threat actor rather than related to organised crime/APT groups.

Conclusion

In this investigation, SenseOn uncovered that an attacker had used the njRAT malware to gain unauthorised access to a sandbox machine. It seems likely that the attacker’s goal was to maintain a presence on the compromised system, steal sensitive data, and possibly launch further attacks from it.

The SenseOn platform allowed analysts to trace every step of the infection and create a detailed timeline of the attacker’s actions.

During our analysis, we found that the attacker had taken advantage of legitimate services like ‘play[.]gg’ to forward the remote access connections to the attacker’s machine. We also noticed the attacker attempting to troubleshoot sound drivers using the Microsoft Support Diagnostic Tool (msdt.exe), as well as trying to execute a suspicious file named ‘e47a31bd985a423c9b525a2d988d8c6e.exe’.

The attacker didn’t make any further attempts on the system after the suspicious file failed to execute. It’s possible that the attacker discovered their malware was running a sandbox machine and chose to abandon their efforts.

IoCs