In recent years, threat actors have increasingly been exploiting legitimate software to deliver malware to unsuspecting victims. TeamViewer, a popular remote desktop support software, has become a common target for these malicious actors. A recent report from Cyble Research & Intelligence Labs highlighted the use of TeamViewer as a means to deliver the njRAT malware.
The njRAT malware is a remote access trojan that is capable of carrying out various malicious activities, such as keylogging, password stealing, data exfiltration, accessing webcams and microphones, downloading additional files, and more. It was first discovered in 2012 and primarily targeted organizations in Middle Eastern nations.
Traditionally, njRAT has been distributed through methods like phishing campaigns, cracked software on file-sharing websites, and drive-by downloads. However, the malware has now evolved to be distributed via trojanized applications. In this particular case, njRAT is being delivered through a trojanized version of TeamViewer.
Once the malware is executed, it drops two files in the C:\Windows folder. One of these files is the njRAT malware itself. The Installer then triggers the malware by launching a file called “TeamViewer Starting.exe” and simultaneously launches the legitimate “teamviewer.exe” application. During the installation of TeamViewer, njRAT also starts its installation process by copying itself to the \AppData\Local\Temp folder under the name “system.exe.” It then executes the newly dropped file and creates a mutex.
To ensure persistence within the infected system, njRAT modifies the “SEE_MASK_NOZONECHECKS” environment variable in Windows. This modification prevents any security warning prompts or dialog boxes from being presented to the user, allowing the malware to operate without any hindrance. Additionally, the malware changes the Firewall regulation to allow communications with its Command and Control (C2) server.
Furthermore, njRAT creates two autorun entries in the system registry to maintain persistence within the infected system. These entries ensure that the malware runs every time the system starts up. The malware also collects various information such as keystrokes, Windows OS version, service pack, webcam information, current date, username, system architecture, and specific registry keys. This information is stored in the “%appdata%/temp” folder under the filename “System.exe.tmp.”
Given the severity and potential impact of njRAT, it is crucial to be aware of its indicators of compromise. These indicators include specific file hashes for the trojanized TeamViewer and the malicious files “system.exe” and “TeamViewer Starting.exe.” Additionally, one of the indicators is “hxxp://kkk[.]no-ip[.]biz,” which is the C2 server utilized by the malware for communication.
As threat actors continue to exploit legitimate software for their malicious activities, organizations and individuals must remain vigilant and proactive in their cybersecurity measures. Regularly updating software, implementing strong security protocols, and educating users about the potential risks and threats can help mitigate the impact of such attacks. Furthermore, organizations should consider deploying robust endpoint security solutions that can detect and block these types of malware before they can cause any harm.
It is essential for software providers and developers to prioritize the security of their products and regularly release updates and patches to address vulnerabilities that could be exploited by threat actors. Working closely with security researchers and organizations to identify and mitigate any potential vulnerabilities can greatly enhance the overall security of software products.
In conclusion, the exploitation of legitimate software, such as TeamViewer, for malware delivery is a concerning trend. The use of njRAT malware in conjunction with TeamViewer highlights the need for increased cybersecurity measures and awareness. By staying informed about the latest threats, implementing robust security practices, and regularly updating software, individuals and organizations can protect themselves from these malicious attacks.