Government agencies, telecom and energy organizations in the Middle East are being targeted by espionage malware known as njRAT.
The remote access Trojan is thorough in its data-stealing capabilities. Beyond dropping a keylogger, variants are capable of accessing a computer’s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes and viewing the user’s desktop.
Security company Fidelis, owned by General Dynamics, reports a surge in activity involving njRAT during the past 30 days.
“We have observed the majority of the attacks leveraging “njRAT” to be against organizations based in or focused on the Middle East region in the government, telecom, and energy sectors. However as this is a publicly available tool it can be attained and deployed with ease regardless of location or industry,” Fidelis said in its advisory.
The malware is delivered via spear phishing emails, or drive-by downloads. The attackers are also embedding the malware in other applications such as the L517 Word List Generator; the malware is compressed and obfuscated by a number of tools in order to avoid detection by security software.
Like other espionage campaigns, each individual attack has a unique identifier. Once a victim is infected, the malware is also capable of scanning for other machines on the same network looking for other vulnerable machines to infect. Using that ability to move once inside a network coupled with the legitimate credentials and other data it harvests via its keylogging capabilities, njRAT is a classic APT-style attack tool.
Fidelis dissected one sample called Authorization[.]exe, which was embedded in a .scr attachment sent to the victim. Not only does the sample have data-stealing capabilities, but it also includes a builder that allows the attacker to build new clients or configure command and control IPs and port, capabilities to spread via USB, and more, Fidelis said.
The malware stores keystrokes in a .tmp file and connects to a control server over port 1177 registered to an IP address in Gaza City, Palestine. A copy of the malware is stored in a second directory built by the attacker in order for it to execute again upon reboots. Once it connects to the command and control server, it sends system information including the computer name, attacker identifier, system location, operating system information, whether the computer contains a built-in camera and which windows are open.
Not only could the open window tell the attacker information about the user’s activities, but also could alert him as to whether the sample is being analyzed if Wireshark, Filemon or some other tool is open on the victim’s screen.
“This will quickly let the attacker know that someone is performing reverse engineering of his malicious code,” Fidelis said.