Remote access Trojans, or RATs, are typically stay-at-home creatures. Central to a good many targeted attacks for their ability to steal data from compromised computers, RATs aren’t generally built with the capability to spread to more machines.
A variant of njRAT, however, has broken that mold. Likely written by the same author, njw0rm features all of the same data-stealing capabilities of its forerunner, except this one can detect whether a removable storage device such as a USB drive is connected to the machine and it attempts to copy itself to the device in the hope of spreading to more machines.
The why in all of this does have researchers baffled.
“The only reason I can think of is to jump an air gap between machines on disconnected networks,” said Nart Villeneuve, senior threat intelligence researcher at FireEye. “Typically, RATs don’t have the ability to spread. They are sent to a target and that essentially allows an attacker to take remote control of the computer. We see RATs used typically in a targeted attack because it requires a human on the other side to execute commands and exfiltrate data, unlike crimeware with automated extraction features. You just don’t see RAT spreading automatically.”
Njw0rm constantly checks if a removable device is present on a compromised machine and whether there is enough memory for the malware. If so, it then creates a hidden My Pictures directory that tries to trick the victim into executing the malicious code.
“It then gets a list of 10 folders on the removable drive, hides those 10 folders, and creates shortcut links with the same names for each of them — all pointing to the malware executable,” Villeneuve and fellow researcher Uttang Dawda wrote in a blogpost. “When unsuspecting users click on one of the shortcuts to open what they think is a familiar folder, they execute the worm instead.”
Njw0rm also has an appetite for passwords and will steal them from Chrome browser settings, as well as FTP passwords stored in a XML file on the machine, and account credentials for the No-IP dynamic DNS service.
“The ability to steal No-IP credentials is unique. Many threat actors use dynamic DNS domains for their infrastructure,” Villeneuve and Dawda wrote. “So an attacker with stolen No-IP credentials could use the service to perform reconnaissance or target other systems.”
No-IP is a preferred choice for other similar attacks for command and control infrastructure. No-IP, however, allows only three domains for free to its users. Speculation is that this capability could be in place to enable attackers to have a more robust command and control setup.
“It’s a generic functionality, so it’s hard to determine intent,” Villeneuve said. “This could be just a way to steal No-IP credentials from someone else, possibly to shift the blame to someone else if they get found out, or to take control of another attacker’s compromised machines.”
As for the author of njRAT and njw0rm, he appears to be a freelance coder who goes by the handle on njq8, the q8 likely standing for his current location of Kuwait. While njw0rm has not appeared in attacks as extensively as njRAT, nor has it been seen in any targeted attacks, it is freely available online from its author.
“He re-tweeted the link to our blogpost from his Twitter account,” Villeneuve said. “He claims to be in Kuwait, and he’s coded quite a number of malicious tools.”
In July, security experts at General Dynamics warned of a spike in njRAT attacks targeting government agencies, telecom and energy organizations in the Middle East. These espionage attacks were thorough; the malware dropped a keylogger and was capable of accessing a computer’s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes and viewing the user’s desktop.
Victims fell for spear phishing emails or were infected in drive-by downloads. Each attack was trackable via a unique identifier and the malware could also scan for other vulnerable computers on the same network in order to pivot from resource to resource looking for data to steal.