Published on March 31st, 2014 📆 | 3510 Views ⚑
Popular Remote access Trojan njRAT Fuels Nascent Middle East Cybercrime Scene
The researchers analyzed 721 samples of malicious code ‘njRAT’ and revealed that a large number of about 24,000 infected computers worldwide were targeted by the malware infections with 542 control-and-command (C&C) server domain names.
njRAT is not a new piece of malware in the market, it is available since June 2013. Till now its three variants have been released and all of which can be propagated through infected USB keys or networked drives.
njRAT is a Remote Access Trojan (RAT) intensive in its data-stealing capabilities. In addition to log keystrokes, the malware is capable to access the victim's camera, steal credentials stored in browsers, upload and download files, perform process and file manipulations, view the victim's desktop.
This RAT can be used to control networks of computers called Botnets, with the caliber to let the attacker update, uninstall, disconnect, restart, close the RAT and rename its campaign ID and an attacker has capabilities to create and configure the malware to spread through USB drives with the help of the Command & Control server software.
HOW TO USE njRAT
It is estimated that the popularity of the njRAT malware in the Middle East and North Africa is because of a large number of online community providing support in the form of instructions and tutorials for development of the malware.
"Technical support and tutorials on using njRAT are widely available on the Web. Symantec has found numerous video tutorials in the Arabic language containing step-by-step processes for downloading and setting up the malware, including steps such as dynamic DNS naming for C&C servers. This level of support enables attackers in the region to easily to build tools and server components for njRAT." researchers said.
Symantec has also spotted 487 groups of cyber criminals setting-up attacks using njRAT and these “attacks appear to have different motivations, which can be broadly classed as hacktivism, information theft, and botnet building.”
FATHER OF njRAT
“The malware’s author also appears to hail from the region. njRAT appears to have been written by a Kuwait-based individual who uses the Twitter handle @njq8. The account has been used to provide updates on when new versions of the malware are available to download.” they added.Symantec said that nearly 80 percent of the command and control servers worldwide were located in the Middle East region and North Africa, such as Saudi Arabia, Iraq, Tunisia, Egypt, Morocco, Algeria, Palestine and Libya.
“One such group is the S.K.Y.P.E/Tagged group, which has C&C servers hosted in Egypt and Algeria. The group’s vector for infection is a screensaver hosted on the file sharing site ge.tt. When victims download the compressed .rar file containing the screensaver, they get an executable containing njRAT.”