NJRat Trojan Returns To Life, Warns PhishMe

A security researcher has warned that a remote access trojan called NJRat, seems to be returning from the dead.

The warning came from security specialist PhishMe, which found evidence that the malware is making a comeback.

NJRat Returns

The warning was made by PhishMe’s senior researcher Ronnie Tokazowski in a blog posting.

“NJRat is a remote-access Trojan that has been used for the last few years. We haven’t heard much about NJRat since April 2014, but some samples we’ve recently received show that this malware is making a comeback,” he blogged.

Tokazowski said that he had examined recent messages and the malware within, and discovered that the executable element had been compiled with .NET 4.0.

“This is worth mentioning because most of the malware today is written in C/C++,” he warned. “The biggest benefit for malware to be written in .NET is that it can be difficult to decode and see what is truly going on. While the .NET code can be decompiled back to the original code (not 100%, but closer than most), regular analysis techniques can throw off analysis, as the code is different. This is why we often have to rely on dynamic analysis, or just double-clicking the file, for .NET analysis.”

So what nastiness does NJRat contain? Well, once the malware runs, it copies itself onto the victim’s machine and begins to attempt connections with the outside world.

“The IP address appears to be part of VPN infrastructure,” he wrote. “Based off of the analysis from the Fidelis article, the VPN infrastructure and no-IP dynamic DNS matches up very well. VPN references also match up with one of the two NJRat Facebook pages…”

NJRat made headlines last year, as the malware was mostly used by hackers in the Middle East. It was used to attack governmental and civilian targets in the Middle East and North Africa. Symantec reportedly said at the time that njRAT was similar in capability to remote access tools (RATs) used to control botnets, but njRAT differed from other RAT malware due to its level of support and development by Arabic speakers.

It also apparently infected up to 20,000 machines at its height.

In August last year, a group calling itself the Syrian Malware Team (SMT) was spotted carrying out attacks using the sophisticated BlackWorm Remote Access Tool (RAT), with one of the members thought to be responsible for its creation.

What do you know about famous hackers? Take our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago