Threat behavior
Trojan:MSIL/NjRAT!rfn operates as a .NET-based remote access trojan distributed through phishing campaigns using weaponized email attachments, drive-by downloads from compromised websites, and infected USB devices using autorun exploits. Recent campaigns have expanded to software supply chain attacks, deploying malicious npm packages like jdb.js and db-json.js that retrieve and launch NjRAT binaries such as patch.exe. The trojan installs itself in %AppData%\Roaming\[RandomFolder]\[RandomName].exe and %Public%\Documents\MediaPlayer.exe, then establishes persistence through Windows registry autorun keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and scheduled tasks.
To evade detection, the trojan terminates security processes via taskkill commands, deactivates Windows Defender by setting the registry value DisableAntiSpyware = 1, and bypasses User Account Control (UAC) by exploiting trusted binaries like eventvwr.exe and mmc.exe. It employs XOR and RC4 encryption for both payload obfuscation and command and control (C2) communications. Core functionalities include comprehensive surveillance capabilities: keystroke logging (stored in %Temp%\Log.tmp), webcam activation via avicap32.dll API calls, screenshot capture (%Temp%\sc.dll), and credential theft from over 35 browsers through SQLite queries targeting stored passwords and cryptocurrency wallets. The malware actively sabotages system integrity by modifying the Windows Hosts file to redirect update.microsoft.com to 127.0.0.1, blocking security updates, and altering firewall policies to permit unrestricted traffic. Destructive modules overwrite the Master Boot Record (MBR) when triggered by specific commands rendering systems unbootable.
C2 infrastructure utilizes dynamic DNS providers (duckdns[.]org), tunneling services (ngrok[.]io), and Pastebin URLs for payload updates, communicating over various TCP ports. NjRAT also spreads laterally via USB devices by copying itself to removable drives and creating infectious shortcuts. Forensic artifacts include decoy binaries masquerading as PDFs (with hidden extensions), misspelled system files like svchos.exe (disguised as svchost.exe), and registry modifications that hide files and exempt malicious traffic from firewall blocking.
Trojan:MSIL/NjRat!rfn drops the following files:
- %Temp%\sc.dll (screenshots)
- %Temp%\kl.dll (for keylogging binary)
- Files that pretend to be .pdf but are actual .exe files when File Explorer is set to hide filename extension.
- %Public%\Documents\MediaPlayer.exe
- %Temp%\Log.tmp (stores keystrokes)
- %Temp%\~DF842C.tmp (additional binary components)
- %AppData%\svchos.exe (misspelled to pretend as svchost.exe, the legitimate Windows system file)
It also modifies the below processes:
- msbuild.exe
- conhost.exe
- RegAsm.exe
- MpSigStub.exe
Modifies the following registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy (Adds rule: "Allow njRAT" preventing inbound/outbound blocks)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (Adds entry: "Windows Media Player" = "%AppData%\svchos.exe")
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced (Sets "Hidden"=1 and "ShowSuperHidden"=1 to hide files)
Connects to the following URLs:
- dynuddns[.]net
- web4solution[.]net
- http://web4solution[.]net:1177/gate[.]php
- http://dynuddns[.]net/update?hostname=<C2_ID>
Prevention
To minimize exposure to Trojan:MSIL/NjRat!rfn, and malware in general, Microsoft recommends best practices such as:
- Disable autorun for USB devices.
- Block Pastebin and similar sites via web filtering.
- Conduct registry audits of entries under the RUN keys and scheduled tasks.
- Enforce multi-factor authentication (MFA).
- Apply least-privilege principles to user accounts.
- Conduct phishing simulations to recognize malicious attachments/links
- Prioritize updates for Windows, browsers, and .NET frameworks to block exploit vectors.
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
