Government agencies, telecom and energy organizations in the Middle East are the target of espionage malware known as njRAT, security researchers said.
The remote access Trojan (RAT) is thorough in its data-stealing capabilities. Beyond dropping a keylogger, variants are capable of accessing a computer’s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes and viewing the user’s desktop.
Security company Fidelis, owned by General Dynamics, reports a surge in activity involving njRAT during the past 30 days.
“We have observed the majority of the attacks leveraging njRAT to be against organizations based in or focused on the Middle East region in the government, telecom, and energy sectors. However as this is a publicly available tool it can be attained and deployed with ease regardless of location or industry,” Fidelis said in its advisory.
The malware delivers via spear phishing emails, or drive-by downloads. The attackers are also embedding the malware in other applications such as the L517 Word List Generator; the malware compresses and hits within a number of tools in order to avoid detection by security software.
Like other espionage campaigns, each individual attack has a unique identifier. Once a victim suffers a hit, the malware is also capable of scanning for other machines on the same network looking for other vulnerable machines to infect. Using that ability to move once inside a network coupled with the legitimate credentials and other data it harvests via its keylogging capabilities, njRAT is a classic APT-style attack tool.
Fidelis dissected one sample called Authorization[.]exe, which embedded in a .scr attachment sent to the victim. Not only did the sample have data-stealing capabilities, but it also included a builder that allows the attacker to build new clients or configure command and control IPs and port, capabilities to spread via USB, and more, Fidelis said.
The malware stores keystrokes in a .tmp file and connects to a control server over port 1177 registered to an IP address in Gaza City, Palestine. A copy of the malware stores in a second directory built by the attacker in order for it to execute again upon reboots. Once it connects to the command and control server, it sends system information including the computer name, attacker identifier, system location, operating system information, whether the computer contains a built-in camera and which windows are open.
Not only could the open window tell the attacker information about the user’s activities, but also could alert him as to whether the sample is undergoing analysis if Wireshark, Filemon or some other tool is open on the victim’s screen.
“This will quickly let the attacker know that someone is performing reverse engineering of his malicious code,” Fidelis said.