njRAT

Malware updated 2 months ago (2024-10-01T15:00:57.443Z)

Download STIX

Preview STIX

NjRAT is a remote-access Trojan (RAT) that has been in use since 2013, often deployed in both criminal and targeted attacks. This malware can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, NjRAT can steal personal information, disrupt operations, or even hold data for ransom. It is capable of identifying remote hosts on connected networks (T1018), detecting peripheral devices such as cameras during initial infection (T1120), and executing keylogging, stealing, reverse shell, and USB propagation functions. The attackers have been observed using a variety of RATs including Remcos, AsyncRAT, Lime-RAT, Quasar RAT, and BitRAT, along with NjRAT. Interestingly, it has been noted that RATs like NjRAT and infostealers like Lokibot leverage the same Command and Control (C2) infrastructure as targeted attacks. These tactics include customizing publicly available RATs like NjRAT and AsyncRAT for espionage or financial theft. The BlindEagle group, also known as APT-C-36, has been seen running operations using NjRAT among other RATs. In recent developments, manufacturing organizations across North America have been targeted by the financially motivated Blind Eagle threat operation. The attackers leveraged the Ande Loader malware to deliver remote access trojans, including NjRAT. The campaign employed this loader to deliver both Remcos RAT and NjRAT. These attacks were facilitated by phishing emails containing RAR and BZ2 archives, which led to the distribution of NjRAT.

Description last updated: 2024-10-01T14:15:43.921Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Dcrat is a possible alias for njRAT. DcRAT is a malicious software (malware) known as a Remote Access Trojan (RAT), which has been utilized in a widespread campaign to exploit computer systems. The malware infiltrates systems through deceptive methods, including downloads from fake Google Meet and OnlyFans sites. When a user interacts	4
Bladabindi is a possible alias for njRAT. Bladabindi, also known as njRAT, is a remote access trojan (RAT) malware first discovered in 2013. It poses a significant threat to the privacy, security, and integrity of infected systems, allowing attackers to execute commands on the host, log keystrokes, and remotely activate the victim's webcam	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Rat

Trojan

Payload

Windows

Phishing

Cobalt Strike

Espionage

Android

Ransomware

Implant

Github

Crypter

Remcos

Dropper

Skype

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Agenttesla Malware is associated with njRAT. AgentTesla is a well-known Remote Access Trojan (RAT) and infostealer malware that has been used in numerous cyber-attacks. It is often delivered through malicious emails or downloads, and once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for rans	Unspecified	5
The AsyncRAT Malware is associated with njRAT. AsyncRAT is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. It has recently risen to prominence, ra	Unspecified	4
The NanoCore Malware is associated with njRAT. NanoCore is a notorious Remote Access Trojan (RAT) first discovered in 2013. It targets Windows operating system users and operates by opening a backdoor on an infected computer to steal information. NanoCore has maintained a top five position for six consecutive months, taking the third spot in Dec	Unspecified	3
The Spynote Malware is associated with njRAT. SpyNote is a malicious software (malware) designed to exploit and damage computer systems, often infecting devices through suspicious downloads, emails, or websites. A newer variant of SpyNote has been observed using the Accessibility API to target well-known cryptocurrency wallets. The malware is d	Unspecified	3
The DarkComet Malware is associated with njRAT. DarkComet is a Remote Access Trojan (RAT) that opens a backdoor on infected computers, allowing unauthorized access and data theft. This malware has been classified among the top five Command and Control (C2) families, indicating its widespread usage by cybercriminals. DarkComet, along with other es	Unspecified	2
The Redline Malware is associated with njRAT. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It often infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. RedLine has been favored by threat actor	Unspecified	2

Source Document References

Information about the njRAT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	2 months ago	Key Group uses leaked builders of ransomware and wipers
Checkpoint	3 months ago	26th August – Threat Intelligence Report - Check Point Research
Securelist	3 months ago	An overview of the BlindEagle APT’s activity in Latin America
Checkpoint	6 months ago	Inside the Box: Malware’s New Playground - Check Point Research
CERT-EU	8 months ago	North American manufacturing subjected to Ande Loader malware compromise
CERT-EU	8 months ago	Cyber Security Week in Review: March 15, 2024
CERT-EU	8 months ago	Cyber Security News Weekly Round-Up : Vulnerabilities & Cyber Attacks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	Online meeting app lures leveraged for RAT delivery
InfoSecurity-magazine	8 months ago	RATs Spread Via Fake Skype, Zoom, Google Meet Sites
CERT-EU	8 months ago	Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware – GIXtools
DARKReading	9 months ago	Spoofed Zoom, Google & Skype Meetings Spread Corporate RATs
InfoSecurity-magazine	9 months ago	Skype, Google Meet, and Zoom Used in New Trojan Scam Campaign
CERT-EU	9 months ago	Cyber Security Week in Review: March 1, 2024
CERT-EU	10 months ago	PolyCrypt Runtime Crypter Being Sold On Cybercrime Forums
MITRE	a year ago	Operation Layover: How we tracked an attack on the aviation industry to five years of compromise
Checkpoint	a year ago	13th November – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Threat Roundup for November 3 to November 10
CERT-EU	a year ago	APT trends report Q3 2023
CERT-EU	a year ago	Operation King TUT: The Universe of Threats in LATAM
Securityaffairs	a year ago	Talos wars of customizations of the open-source info stealer SapphireStealer