njRAT pushes Lime ransomware and bitcoin wallet stealer

njRAT, also known as Bladabindi, is a remote access Trojan (RAT) that was first seen in 2013 and continues to be one of the most prevalent malware family. It was developed using the Microsoft .NET framework and, like many other RATs, provides complete control of the infected system and delivers an array of features to the remote attacker. There are multiple .NET obfuscation tools that make detection difficult for antivirus solutions and that hinder analysis by security researchers. njRAT utilizes dynamic DNS for command-and-control (C2) servers and communicates using a custom TCP protocol over a configurable port. We covered njRAT builder kit in our previous blog published in 2015. In this blog, we will cover one of the newer variant of njRAT dubbed njRAT Lime Edition that we are seeing in the wild. This variant includes support for: Ransomware infection Bitcoin grabber Keylogger USB spreader Password stealer Bot killer Below is a snapshot of the njRAT Lime Edition configuration file: Some highlights from the configuration files: Configured to drop into Temp folder of the infected system with filename Client.exe Bot Version: 0.7.3 C&C server: online2018.duckdns[.]org Port Number: 1700 The malware tries to gather the running process in the victim’s machine and uses it to track crypto wallets when merchants buy or sell Bitcoins or make other payments. These digital wallets securely store digital currency, and they can be connected to bank accounts, debit cards, or credit cards, so that digital currency can be exchanged into and out of one’s local currency. Bitcoin core aka bitcoin-qt Bitcoin.com Electrum The malware leverages windows WMI queries, such as “SELECT * FROM AntivirusProduct” and “SELECT * FROM Win32_VideoController,” to check for VM or sandbox environment. Video card Installed antivirus Volume information CPUID The malware monitors the following processes in the victim’s machine. If any of of these processes is running, the malware will not execute in the system: Process Hacker Process Explorer SbieCtrl SpyTheSpy SpeedGear Wireshark Mbam apateDNS IPBlocker Cports KeyScrambler TiGeR-Firewall Tcpview Xn5x exeinfoPE Regshot RogueKiller NetSnifferCs VGAuthService VBoxService Reflector Capsa NetworkMiner ProcessLasso SystemExplorer ApateDNS Malwarebytes Anti-Malware TCPEye SmartSniff ProcessEye Currports DiamondCS Port Explorer Virustotal Metascan Online Speed Gear The Wireshark Network Analyzer Sandboxie Control .NetReflector The malware also verifies if a Slowloris DDoS attack is already in progress on the victim’s machine by enumerating the files in the specific folder. Slowloris is an attack tool designed to allow a single machine to take down a server without using a lot of bandwidth, and also to send multiple partial HTTP requests.   The malware shuts down and restarts the system with the following command: Switches: -r -> restart the computer that’s currently being used -t -> time, in seconds -f -> forces running programs to close without warning We have seen the following C&C commands in the malware: C&C Commands delchrm Delete chrome cookies MonitorOFF Turn off monitor TextToSpeech   NormalMouse   taskmgrON Enable task manager ChngWLL Change wallpaper Kl Keylogger command that checks foreground window and keys pressed Seed Sharing , downloading files with torrent software such as BitTorrent and uTorrent ddos.slowloris.start Check Slowloris attack running status RwareSU Enumerate folders infected with ransomware and use stream writer function to checks strings in the notepad, such as “All your files have been locked,” “Our bitcoin address is,” etc. restartme Restart the computer DisableCMD Disable command prompt EventLogs Delete event logs BitcoinOFF Shut down system Botk Killing the bot using cmd and wscript command pcspecs Check video card and CPU info Searchwallet Check installed bitcoin wallets in the system PLG Load plugin and configure with C&C server The malware also has a WORM functionality to spread through USB that enumerates the files and folders on the hard drive. Once it detects the USB drive inserted into the system, it copies itself to the USB drive and creates a shortcut using the folder icon. Ransomware functionality The ransomware encrypts files with the extension .lime using the AES-256 symmetric algorithm, which means the key is the same for encryption and decryption. Ransomware Key generation When Lime is first launched, it will call a RandomString() function, which will attempt to generate an AES key. It generates a 50-byte array from the input string using a random index, and uses the random() function to fetch one character and stores it to the output string. Lime drops the output string at \\Microsoft\\MMC\\hash with the .lime extension. The malware also contains function to decrypt all files that are encrypted by Lime ransomware at \\Microsoft\\MMC\\hash



This is a Security Bloggers Network syndicated blog post authored by tdewan@zscaler.com. Read the original post at: Research Blog