Trojan:MSIL/NjRat.A

Trojan:MSIL/NjRat.A comes in through phishing emails, but there are many other infections vectors. These phishing emails have links to a compromised website, or they have infected attachments. The compromised sites often have an application and present the user with a fake software update. Once launched, Njrat creates a unique mutex first, to prevent more than one copy of the program running on the same device. 

Second, the trojan copies itself from its download location (possibly the %TEMP% folder). The copy is then moved to a more permanent location. This is in a hidden folder inside the %APPDATA% folder. The new copy is renamed to try and look legitimate, mimicking a Windows process.  

Also, Njrat creates a persistent mechanism to survive a reboot. It works by creating autostart entries in the Windows Registry RUN keys and placing a copy in the Startup folder built into Windows. Trojan:MSIL/NjRat.A has significant capabilities to invade the user's privacy, these include: 

• logging keystrokes 
• capturing audio from the microphone  
• harvesting saved credentials from applications and web browsers 
• providing full remote desktop control to the threat actors, giving full access to the victim's display screen. 

As a final note on data theft, Njrat is able to transmit data through encrypted channels. It normally transmits stolen data via HTTP POST requests or FTP uploads. Before exfiltration, the data sets are often compressed and encoded in Base64 first. The encoding is to hide the malware command and control servers from being identified from the overall network traffic of the infected device. 

Trojan:MSIL/NjRat.A drops the following files: 

• %Temp%\sc.dll (screenshots) 
• %Temp%\kl.dll (for keylogging binary) 
• Files that pretend to be .pdf but are actual .exe files when File Explorer is set to hide filename extension. 
• %Public%\Documents\MediaPlayer.exe 
• %Temp%\Log.tmp (stores keystrokes) 
• %Temp%\~DF842C.tmp (additional binary components) 
• %AppData%\svchos.exe (misspelled to pretend as svchost.exe, the legitimate Windows system file)  

It also modifies the below processes: 

• msbuild.exe 
• conhost.exe 
• RegAsm.exe 
• MpSigStub.exe 

Modifies the following registry keys: 

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy (Adds rule: "Allow njRAT" preventing inbound/outbound blocks) 
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (Adds entry: "Windows Media Player" = "%AppData%\svchos.exe") 
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced (Sets "Hidden"=1 and "ShowSuperHidden"=1 to hide files) 

Connects to the following URLs: 

• dynuddns[.]net 
• web4solution[.]net 
• http://web4solution[.]net:1177/gate[.]php 
• http://dynuddns[.]net/update?hostname=<C2_ID>