njRAT Gets Ransomware, Crypto-Currency Stealing Capabilities
3.4.2018 securityweek Cryptocurrency
An updated version of the njRAT remote access Trojan (RAT) is capable of encrypting files and stealing virtual currencies from crypto-wallets, Zscaler warns.
Also known as Bladabindi, njRAT has been around since at least 2013 and is one of the most prevalent malware families. Built in .NET Framework, the malware provides attackers with remote control over the infected systems, utilizes dynamic DNS for command-and-control (C&C), and uses a custom TCP protocol over a configurable port for communication.
Dubbed njRAT Lime Edition, the new malware variant includes support for ransomware infection, Bitcoin grabber, and distributed denial of service (DDoS), while also being able to log keystrokes, spread via USB drives, steal passwords, and lock the screen.
The malware gets a list of running processes on the victim’s machine and uses it to track crypto wallets. Because these store digital currency and may also be connected to the users’ bank accounts, debit cards, or credit cards, it’s no surprise they are of interest to cybercriminals.
Once it has infected a system, the malware also checks for virtual machines and sandbox environments, Zscaler's researchers say. It also gathers large amounts of system information: system name, user name, Windows version and architecture, presence of a webcam, active window, CPU, video card, memory, volume information, installed antivirus, and infection time.
Additionally, the threat monitors the system for specific security-related processes and attempts to kill them to avoid detection.
The new njRAT iteration can also launch ARME and Slowloris DDoS attacks, the security researchers say. The Slowloris tool allows a single machine to take down a server with minimal bandwidth while attempting to keep many connections to the target web server open. ARME attacks also attempt to exhaust the server memory.
Upon receiving commands from the C&C, the malware can delete Chrome cookies and saved logins, turn off monitor, use TextToSpeech to announce text received from C&C, restore normal mouse button functionality, enable task manager, change wallpaper, log keystrokes from the foreground window, share, download files via torrent software, and start Slowloris attacks.
It can also drop and show a ransom note, restart the computer, disable command prompt, delete event logs, stop Bitcoin monitor thread, start the botkiller thread, send system information (CPU/GPU/RAM), check installed Bitcoin wallets and send the information to C&C, and load a plugin and configure it with the C&C server.
njRAT also includes worm-like spreading capabilities. It can monitor the system for connected USB drives and can copy itself to them, while also creating a shortcut to itself using the folder icon.
The malware’s ransomware functionality encrypts users’ files and adds the .lime extension to them. The malware uses the AES-256 symmetric algorithm for encryption, meaning that the same key can be used for decryption as well.
“When Lime is first launched, it will call a RandomString() function, which will attempt to generate an AES key. It generates a 50-byte array from the input string using a random index, and uses the random() function to fetch one character and stores it to the output string,” Zscaler explains.
The function to decrypt the files encrypted by the Lime ransomware is included in the malware itself, the security researchers have discovered.