Updated - April 1, 2018
Updated - April 3, 2018 (added IOCs)
njRAT, also known as Bladabindi, is a remote access Trojan (RAT) that was first seen in 2013 and continues to be one of the most prevalent malware family. It was developed using the Microsoft .NET framework and, like many other RATs, provides complete control of the infected system and delivers an array of features to the remote attacker. There are multiple .NET obfuscation tools that make detection difficult for antivirus solutions and that hinder analysis by security researchers. njRAT utilizes dynamic DNS for command-and-control (C2) servers and communicates using a custom TCP protocol over a configurable port.
We covered njRAT builder kit in our previous blog published in 2015. In this blog, we will cover one of the newer variant of njRAT dubbed njRAT Lime Edition that we are seeing in the wild. This variant includes support for:
Below is a snapshot of the njRAT Lime Edition configuration file:
Some highlights from the configuration files:
Configured to drop into Temp folder of the infected system with filename Client.exe
Bot Version: 0.7.3
C&C server: online2018.duckdns[.]org
Port Number: 1700
Upon receiving searchwallet command, the malware tries to gather the running process in the victim's machine and uses it to track crypto wallets when merchants buy or sell Bitcoins or make other payments. These digital wallets securely store digital currency, and they can be connected to bank accounts, debit cards, or credit cards, so that digital currency can be exchanged into and out of one's local currency.
The malware leverages windows WMI queries, such as "SELECT * FROM AntivirusProduct" and "SELECT * FROM Win32_VideoController," to check for VM or sandbox environment. It is capable of sending system information such as:
Malware monitors for the following process names on the victim machine and if found in running state, malware will try to kill the process:
This njRAT variant also has the capability of performing ARME and Slowloris DDoS attacks. Slowloris is an attack tool designed to allow a single machine to take down a server with minimal bandwidth, and also to send multiple partial HTTP requests. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. ARME attack also tries to exhaust the server memory.
The malware shuts down and restarts the system with the following command:
-r -> restart the computer that's currently being used
-t -> time, in seconds
-f -> forces running programs to close without warning
We have seen the following C&C commands in the malware:
|delchrm||Delete chrome cookies and saved logins|
|MonitorOFF||Turn off monitor|
|TextToSpeech||Announces text received from C&C using TextToSpeech|
|NormalMouse||Restores normal mouse button functionality|
|taskmgrON||Enable task manager|
|Kl||Keylogger command that checks foreground window and keys pressed|
|Seed||Sharing, downloading files with torrent software such as BitTorrent and uTorrent|
|ddos.slowloris.start||Start Slowloris attack|
|RwareSU||Drop and show ransom note|
|restartme||Restart the computer|
|DisableCMD||Disable command prompt|
|EventLogs||Delete event logs|
|BitcoinOFF||Stop Bitcoin monitor thread|
|Botk||Start the botkiller thread|
|pcspecs||Send system information (CPU/GPU/RAM)|
|Searchwallet||Check installed bitcoin wallets in the system and send to C&C server|
|PLG||Load plugin and configure with C&C server|
The malware also has a WORM functionality to spread through USB that enumerates the files and folders on the hard drive. Once it detects the USB drive inserted into the system, it copies itself to the USB drive and creates a shortcut using the folder icon.
The ransomware encrypts files with the extension .lime using the AES-256 symmetric algorithm, which means the key is the same for encryption and decryption.
Ransomware Key generation
When Lime is first launched, it will call a RandomString() function, which will attempt to generate an AES key. It generates a 50-byte array from the input string using a random index, and uses the random() function to fetch one character and stores it to the output string. Lime drops the output string at %AppData%\\Microsoft\\MMC\\hash location.
Upon receiving command, the malware will try to encrypt files in following folders:
The malware also contains function to decrypt all files that are encrypted by Lime ransomware as seen below:
Zscaler ThreatLabZ is actively tracking njRAT variant activities and ensuring Zscaler customers are protected.
Indicators of Compromise
Zscaler Detection Names