A Tale of Two Crypters

In early March 2017 we saw a surge in malware samples with similar behaviours and low detection rates, often triggering only generic and/or heuristic antivirus signatures. Examining these revealed them to be samples of the venerable njRAT Trojan (also known as Bladabindi) and, unsurprisingly, shows their post-infection behaviour and capabilities to align with known njRAT patterns (keylogging, screen-capturing, etc.)

Two samples were examined in particular: both of these downloaded a sizeable 'blob' from Pastebin and communicated with C2s hosted on domains associated with dynamic DNS services - typical features of njRAT campaigns dating back several years. However, as it turns out, despite being two different versions of the same malware and even having compilation timestamps within a day of each other, the obfuscation methods used by the samples are quite different.

Article Link: https://blogs.forcepoint.com/security-labs/tale-two-crypters