njRAT, a remote access trojan that was discovered in 2012, has recently been found targeting TeamViewer users and stealing sensitive data from compromised devices. TeamViewer, a popular software application used for remote support and control access, was used as a disguise by njRAT to carry out its malicious activities.
According to a blog post by cybersecurity firm Cyble, njRAT was able to capture keystrokes, take screenshots, and steal passwords from TeamViewer users. Additionally, it gained unauthorized access to the webcam and microphone of compromised devices and exfiltrated data. The stolen data included system information such as the Windows operating system version, service pack, username, system architecture, registry keys, and service pack.
To exfiltrate the accessed data, njRAT encoded it using the base64 encoding scheme. The trojan also downloaded both itself and the legitimate TeamViewer application onto the compromised device. However, before the user could access the legitimate app, njRAT would carry out its malicious activities as programmed.
Cyble confirmed that njRAT, also known as Bladabindi, primarily targeted organizations in Middle Eastern countries. The trojan used a dedicated thread to monitor keystrokes continuously, capturing and storing the data. It operated with a delay interval of 1 ms between each iteration to ensure ongoing monitoring.
Apart from targeting TeamViewer, njRAT also used phishing campaigns and drive-by downloads to spread itself. These tactics allowed the trojan to infect more devices and increase its reach.
Researchers from Cyble’s Research and Intelligence Labs (CRIL) analyzed njRAT malware samples and discovered that it was a 32-bit Smart Installer. Upon execution, the installer dropped two files in the Windows folder, one of which was named “njRAT” while the other was a genuine TeamViewer application.
The malicious file, named “TeamViewer Starting.exe,” would execute alongside the legitimate TeamViewer application. It would prompt the user with a window asking to accept and finish the installation of the TeamViewer application. This made it difficult for users to distinguish between the legitimate application and the njRAT payload.
To evade detection, njRAT used filenames similar to legitimate Windows files, making it harder to notice its presence. It also created a mutex, a synchronization object, to prevent launching the same infection multiple times on the same device. The mutex was hardcoded into the njRAT binary and was named “01b5fcf8ce2fab8868e80b6c1f912fe”.
Additionally, njRAT adjusted security settings and created a firewall regulation to receive commands from its Command and Control server. In the absence of commands from hackers controlling it, the trojan would become dormant. It also copied itself to the startup directory, ensuring that it ran automatically at every system boot-up.
To protect against njRAT and similar malware, Cyble recommends downloading applications from official app stores instead of third-party websites or pop-ups. It is essential to ensure that automatic updates are enabled and regularly check for updates manually. Running antivirus software on each device is also advisable, along with avoiding clicking on links or downloading files in untrusted or irrelevant emails.
The discovery of njRAT targeting TeamViewer users serves as a reminder of the ever-present threats in the digital landscape. Users must remain vigilant and take necessary precautions to protect their devices and sensitive information from sophisticated malware attacks.