FireEye Labs has discovered an intriguing new sibling of the njRAT remote access tool (RAT) that one-ups its older "brother" with a couple of diabolically clever features. Created by the same author as njRAT —a freelance coder who goes by the moniker njq8 — the new njw0rm malware has the ability to spread using removable computer storage and can steal login credentials to a popular dynamic DNS service.
The older njRAT was first documented about a year ago by FireEye as Backdoor.LV. Most of the command-and-control (CnC) infrastructure associated with njRAT, like many of its targets, were based in the Middle East. The CnC servers associated with njw0rm are also based in the Middle East, though we have not yet seen njw0rm used in targeted attacks.
Njw0rm has the usual RAT features, but adds a key enhancement — it is designed to spread via removable devices such as USB drives. FireEye researchers have seen njw0rm delivered initially through malicious links in emails and using drive-by downloads on compromised websites. The malware aims to steal user credentials, execute commands, and receive future updates from the attacker.
Njw0rm is coded in Visual Basic script, but requires AutoIt to build the dropper. It provides an attacker with common options such as the ability to designate a name for its binary, configure its CnC servers, whether to “melt” or delete the binary after execution, and so on.
When you first start the builder, it asks you to assign a port for incoming traffic (1888 by default).
The control panel contains a window for logging and another window with details of active infections.
The name of the infected machine is followed by the serial number of
%homedrive%. It also includes information on its
location, OS (and service pack installations), removable storage
devices present, and currently active windows.
The following functions are available from the control panel:
The Get Passwords command has the capability to steal passwords from three different sources:
- FTP passwords stored under
- Chrome browser passwords in
\Google\Chrome\User Data\Default\Login Data\
- Account credentials for the No-IP dynamic DNS
service by reading the registry key at
HKLM\SOFTWARE\Vitalwerks\DUCand base64-decoding it
The credentials stored inside Google Chrome’s Web browser are decrypted locally using the CryptUnprotectData() function provided by Crypt32.dll. This API enables an application to decrypt Triple-DES encrypted passwords as long as they are encrypted with the same logon credentials.
The ability to steal No-IP credentials is unique. Many threat actors use dynamic DNS domains for their infrastructure. So an attacker with stolen No-IP credentials could use the service to perform reconnaissance or target other systems.
The Njw0rm bot connects to the CnC server and waits for commands. If no command is received, the worm sends the following information to the following hard-coded domain:port every two seconds.
The above code roughly translates to:
“lv” + 0njxq80 + name_serial + 0njxq80 +
Kernel32.dll.GetLocaleInfo()+ 0njxq80 + OS info + 0njxq80 + worm
version + 0njxq80 + removable drive available + 0njxq80 + title of
Like njRAT, njw0rm uses the "lv" keyword and as a field separator.
The Worm Aspect
Njw0rm constantly checks for removable devices present on the host. If a removable drive’s status is “Ready” and it has more than 1024 megabytes free, njw0rm creates a hidden My Pictures directory (if it doesn't already exist). It then gets a list of 10 folders on the removable drive, hides those 10 folders, and creates shortcut links with the same names for each of them — all pointing to the malware executable. When unsuspecting users click on one of the shortcuts to open what they think is a familiar folder, they execute the worm instead.
Connections to njRAT
Looking at the comments section of the code, researchers can conclude that njw0rm is coded by njq8, the author who also created njRAT. Although njw0rm’s communications are not base64 encoded, it uses the same keyword "lv" at the beginning of every communication and “0njxq80” as a delimiter instead of “|”, two features that are identical to njRAT’s communication.
The malware's author is prolific. According to his Freelancer.com profile, he lives in Kuwait and is a coder for hire.
Based on the comments in the source code, njworm was last updated on May 16th with version 0.3.3a. We have seen versions ranging from 0.2 – 0.4d in the wild. The newer version likely includes bot-killer functionality that was left unfinished in 0.3.3a.
We have seen communications back to the following domains and ports:
Geolocations of CnC
Most of the njworm's CnC infrastructure is hosted in the Middle East — just like njRAT — with a few exceptions.
The Njw0rm RAT is clearly authored by the same person who wrote njRAT. Like njRAT, most of the njw0rm CnC infrastructure is also hosted in the Middle East. The callback structure is also similar to njRAT. Currently, the worm does not appear to be used in a targeted fashion. But based on the callback data, njw0rm is evolving quickly — so expect to see more of it in the future.
(Special thanks to Thoufique Haq for his help with this research.)
f6b31d4abeb50db38093003bd93dc02e f863f3878ebd2e449beb78dc214380ab ff573fc5a7c9b12fa15c984eb0228a64