Home > List all groups > List all tools > List all groups using tool njRAT

Threat Group Cards: A Threat Actor Encyclopedia

Tool: njRAT

Names	njRAT Bladabindi Jorik
Category	Malware
Type	Backdoor, Keylogger, Credential stealer, Info stealer, Downloader, Exfiltration
Description	(Carbon Black) njRAT is a Remote Access Trojan (RAT) that will silently collect and steal sensitive information such as login credentials. It can also perform keylogger monitoring, remote desktop control, installing additional malicious software, and many other malicious activities on the victim’s computer. In addition, njRAT is still a malware family that is being actively distributed via various methods such as spear-phishing, malvertising, exploit kits and other techniques. Figure 1 shows a screenshot for the njRAT Panel Menu. Depending on the configuration taken from the attackers in njRAT panel, the features it provided can be used to perform malicious activities such as stealing sensitive data/information, disabling security software, install additional malicious payload to the victim’s computer and many more harmful actions. Upon the execution of njRAT, it will connect to the command and control (C&C) server, allowing the attacker to perform malicious activity on the victim’s machine. Other than that, it will create copies of itself in the %Temp% folder and rename itself by masquerading as a legitimate binary. In this example it was renamed to ‘svhost.exe’ which is trying to imitate ‘svchost.exe’. Furthermore, it tries to hide its persistence from the user by setting the file attributes as ‘Hidden’ onto the original and the copy of the binary. Moreover, it will also make a copy of itself in the “%AppData%\Microsoft\Windows\Start Menu” folder and create or modify the registry key for persistence to ensure it will be executed on startup. The following event logs from CB Threat Hunter shown below display the relevant events.
Information	<https://www.carbonblack.com/2019/12/10/threat-analysis-unit-tau-threat-intelligence-notification-njrat/> <http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf> <http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf> <http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/> <https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services> <https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/> <https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control/> <https://www.zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers>
MITRE ATT&CK	<https://attack.mitre.org/software/S0385/>
Malpedia	<https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat>
AlienVault OTX	<https://otx.alienvault.com/browse/pulses?q=tag:njRAT>

Last change to this tool card: 20 January 2021

Download this tool card in JSON format

All groups using tool njRAT

Changed	Name	Country	Observed
APT groups
	Aggah	[Unknown]	2018-Jun 2022
	APT 41		2012-Aug 2024
	Aquatic Panda		2020
	Blind Eagle		2018-Jun 2024
	Gorgon Group		2017-Jul 2020
	Group5		2015
	LazyScripter	[Unknown]	2018
	Molerats, Extreme Jackal, Gaza Cybergang	[Gaza]	2012-Jul 2023
	OilAlpha		2022
	Operation Comando	[Unknown]	2018
	Operation Epic Manchego	[Unknown]	2020
	Operation Layover		2013
	Operation Spalax	[Unknown]	2020
	RATicate	[Unknown]	2019
	RedAlpha		2015-2021
	RevengeHotels	[Unknown]	2015
	SideCopy		2019-Oct 2023
	Sphinx	[Unknown]	2014
	↳ Subgroup: Goldmouse, APT-C-27		2014
	↳ Subgroup: Pat Bear, APT-C-37		2015
	TA558	[Unknown]	2018-Jun 2023
	Transparent Tribe, APT 36		2013-Jun 2024

22 groups listed (22 APT, 0 other, 0 unknown)

↑

Threat Group Cards: A Threat Actor Encyclopedia

Tool: njRAT

All groups using tool njRAT

APT groups

Follow us on

Report incidents