njRAT Being Distributed via Webhards

Webhards is a platform used to distribute malware, and it is mainly used by attackers that mainly target Korean users. The ASEC analysis team has been monitoring malware types distributed through webhards and has uploaded multiple blog posts about them in the past. Various types of malware are used recently such as UdpRat or DDoS IRC Bot developed with GoLang, but njRAT had been used in multiple attacks in the past.

The ASEC analysis team has recently found njRAT being distributed through webhards. As shown in the figure below, malware disguised as an adult game was uploaded in a certain webhard.

Figure 1. njRAT disguised as an adult game being distributed in webhard

Users who download the game would probably decompress the file ‘Goblin walker.zip’ and run the executable that has the game icon image within the file. The executable is a dropper malware that contains the original game file and njRAT. When it is run, it drops and runs the game executable and njRAT in the path %APPDATA% (see figure below).

Figure 2. Game file and njRAT dropped and executed in AppData

As dropper malware runs both njRAT and the game at the same time, users will find that the game is run normally.

Figure 3. Game being run normally

Dropper is developed with .NET, and it has the loader (fluxfog.dat), original game executable (barsgiant.dat), and njRAT (gemsintoxicant.dat) in encoded forms (see figure below).

Figure 4. Multiple binaries included in the resource in encoded forms

The dropper first decodes the loader (fluxfog.dat) and loads it in the memory. The loader’s function is to write the original game executable “barsgiant.dat” and njRAT “gemsintoxicant.dat” in %APPDATA% path and execute each file.

Figure 5. Routine for decrypting and running encoded files

njRAT is created as a file named RuntimeBroker.exe in %APPDATA% path and then executed. Its code is obfuscated, but structurally, it is easily recognizable as njRAT (see figure below).

Figure 6. Structure of njRAT

njRAT is a RAT malware that can perform various malicious activities after receiving commands from the attacker. It provides various features such as file downloading, command execution, keylogging, and user account credentials extortion. The following figure shows the C&C URL and port number that is shown when the internal settings data is decrypted.

Figure 7. C&C URL and port number

Since njRAT used in the attack has “|’|’|” as separators, it is likely that the attacker downloaded the publicly released njRAT builder and used it without major modifications.

Figure 8. Default data sent to C&C server (modified)

As shown in the examples above, the malware is being distributed actively via file sharing websites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended for the users to download products from the official websites of developers.

[File Detection]
– Malware/Win.Generic.C4918227 (2022.01.18.00)
– Dropper/Win.NJRat.R475688 (2022.03.02.00)

[IOC]
File
– Dropper: 74cb8c2a5badf88b7407cc187b1b0adf
– njRAT: 228a44d74c4be3555a55e432967adcf6

C&C
– lllopq.ddns[.]net:3270

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, , ,

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments