On 24 August, a malicious spam (malspam) email campaign distributed the njRAT malware, also known as Bladabindi and Njw0rm. njRAT is a remote access trojan (RAT) and information stealer (infostealer) that was first observed in January 2013.1,2,3
njRAT maintains persistence and operates undetected on victims’ machines while transmitting sensitive information back to its command and control (C2) infrastructure for extended periods of time. njRAT’s availability, ease of use, and rich feature set make it a popular choice for threat actors of all skill levels. Its known capabilities include:
- Collecting information about the system, including usernames and passwords, as well as other personal and confidential information,
- Activating webcams,
- Capturing screenshots,
- Logging keystrokes,
- Installing and uninstalling software,
- Loading other plugins,
- Manipulating files,
- Propagating to external media, and
- Detecting and evading sandbox environments.
Because njRAT maintains persistence and can download files, it also has the ability to download additional malware to victims’ machines.
Threat actors using njRAT have historically used messages with payment/invoice-related themes. With these types of lures, both the subject line and email body contain messages asking the recipient to review the attached invoice or payment notice.
In this campaign, the attachment was a Microsoft Office Excel Macro (.xlsm) enabled file named with a 40-character alphanumeric string, mimicking that of a secure hash algorithm-1 (SHA1) convention.
Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.