Remote access Trojans (RATs) do not usually have the capability to spread to more machines. But that is changing with a variant of the njRAT.
Njw0rm, likely written by the same author, features all of the same data-stealing capabilities of its forerunner, except this one can detect whether a user connected a removable storage device such as a USB drive to the machine and it attempts to copy itself to the device in the hope of spreading to more machines.
“The only reason I can think of is to jump an air gap between machines on disconnected networks,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “Typically, RATs don’t have the ability to spread. They are sent to a target and that essentially allows an attacker to take remote control of the computer. We see RATs used typically in a targeted attack because it requires a human on the other side to execute commands and exfiltrate data, unlike crimeware with automated extraction features. You just don’t see RAT spreading automatically.”
Njw0rm constantly checks if a removable device is present on a compromised machine and whether there is enough memory for the malware. If so, it then creates a hidden My Pictures directory that tries to trick the victim into executing the malicious code.
“It then gets a list of 10 folders on the removable drive, hides those 10 folders, and creates shortcut links with the same names for each of them — all pointing to the malware executable,” Villeneuve and fellow researcher Uttang Dawda said in a blog post. “When unsuspecting users click on one of the shortcuts to open what they think is a familiar folder, they execute the worm instead.”
Njw0rm also likes passwords and will steal them from Chrome browser settings, as well as FTP passwords stored in a XML file on the machine, and account credentials for the No-IP dynamic DNS service.
“The ability to steal No-IP credentials is unique. Many threat actors use dynamic DNS domains for their infrastructure,” Villeneuve and Dawda wrote. “So an attacker with stolen No-IP credentials could use the service to perform reconnaissance or target other systems.”
No-IP is a preferred choice for other similar attacks for command and control infrastructure. No-IP, however, allows only three domains for free to its users. Speculation is this capability could be in place to enable attackers to have a more robust command and control setup.
“It’s a generic functionality, so it’s hard to determine intent,” Villeneuve said. “This could be just a way to steal No-IP credentials from someone else, possibly to shift the blame to someone else if they get found out, or to take control of another attacker’s compromised machines.”
In July, security experts at General Dynamics warned of a spike in njRAT attacks targeting government agencies, telecom and energy organizations in the Middle East. These espionage attacks were thorough; the malware dropped a keylogger and was capable of accessing a computer’s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes and viewing the user’s desktop.
Victims fell for spear phishing emails or suffered infection via drive-by downloads. Each attack was trackable through a unique identifier and the malware could also scan for other vulnerable computers on the same network in order to pivot from resource to resource looking for data to steal.