While investigating an unrelated threat I ran into a rather interesting njRat campaign.
It started with a website that was compromised and being abused as a 3rd layer C2 communication proxy. It seems those guys weren’t the only ones using it.
When visiting the websites’ main page I was greeted with an alert pop-up:
Looking at the page title and message content I was expecting some kind of fake support or fake antivirus page; I was correct (for this part):
Waiting the result of the scan I was prompted by the usual ‘you need help click here’ messages:
When clicking one of the buttons (or the X close button, basically anything on the page) your browser was presented with a download of ‘Antivirus 2015’:
When running the ‘Antivirus 2015’ payload the user is presented with a popup:
The message (although in broken english) tells us we’re clear of any infections. If we check the startup entries via msconfig we can see something new was added running from our %temp% directory:
We can see its there to stay, implementing persistance using startup keys a (very) old trick.
While you might think the popup is due to the virtual machine setup or debugger being detected it actually isn’t. The ‘Antivirus 2015’ payload is in fact a stage 1 dropper of something more interesting, the payload in the %temp% directory is a stage2 dropper with embedded stage 3.
If you throw the ‘Antivirus 2015’, stage 1, payload in a decompiler you will see its a small obfuscated loader written in C#. Its most important function shown here:
The ‘main’ function of this loader does the following:
- Display the popup with the message
- Make sure the application (and its icon) aren’t shown in the taskbar
- Decode a string of text (under Label_004D) which contains a link to a pastebin post
- Download whatever is at this pastebin link
- Use the content of the pastebin post as another URL and download data from it
- The data obtained from the link inside the pastebin post is written to ’%temp%/notepad.exe’
- Execute the ’%temp%/notepad.exe’ payload
The content of the pastebin post is a link to a file on ge.tt which is another PE file:
This payload is stage 2 of our infection and seems to be another loader in fact. If you decompile this one you will find its another C# written loader with similar ‘obfuscation’ techniques for the main program flow:
The thing is that instead of downloading another payload it in fact has an embedded Windows PE. The flow of this loader is:
- Hide itself from the taskbar
- Reverse and base64 decode an embedded text string (The expression variable under Label_003C starting with a lot of A’s)
- Take this buffer and feed it to a function called ’ss’
The ’ss’ function is a classic way of executing a PE file from within C# code:
If we take out the 3rd layer of this attack (the embedded PE inside stage 2) we find its another C# application. This time it doesn’t hold anything like we’ve seen with the other loaders, its actually a (semi) large program with lots of functionality. Its structure and implemented functions made me think of a RAT. After running it in a sandbox with inetsim enabled to catch DNS requests and send them to a fake server I had a positive hit for njRAT. The traffic showed the classic njRAT checkin pattern:
We can even confirm it by using the config decoder made by Kevin, you can get it here: RATDecoders / njRat.py
The output from the tool tells us enough, its njRAT for sure:
We can triple confirm it if we grab the startup entries we saw earlier and compare them to the configuration:
From the config we can see the C2 DNS it will resolve is ’supportoffice.likescandy.com’. This currently resolves to 184.108.40.206 which is an IP located in the consumer ADSL range in Saudi Arabia:
If we follow this C2 domain we can find a related sample on VirusTotal from 2014-10-15, a bit more than 7 months ago jpck22sj.exe. It connects to the following two C2 domains:
- supportoffice.likescandy.com (220.127.116.11)
- svchost.homelinux.com (18.104.22.168)
This IP is also located in a Saudi Arabia consumer ADSL IP pool:
If we follow this rabit hole further down we find another sample submitted a week after the previous one on 2014-10-22 By Hat_Mast3r.exe. With this sample the IPs had already been changed, ’supportoffice.likescandy.com’ was pointing to an IP in Iraq 22.214.171.124:
While ’svchost.homelinux.com’, a secondary backup domain, pointed to again an IP in a Saudi Arabia consumer IP pool:
This campaign seems to be old but still running (although my infection wasn’t being manually controlled at the time). The first sample found was submitted 7 months ago.
The operation seems to originate from Saudi Arabia mostly; seeing its C2 IP is a home IP address and njRat does not support proxying C2 communciations over infectees. It means this was most likely the actual operator. I have no clue on the exact targets; the website I found was a Dutch website for a hobby group not a really high-ranked target. The spreading method of a fake antivirus website was also quite confusing, normally I see these things dropping FakeAV’s as I’ve written on in the past.
Overal an unusual but interesting campaign to keep an eye on, at least I will 😉
IOCs and Samples
I’ve gathered the following DNS entries being resolved related to infections of this campaign:
The following IP addresses were seen as being used for C2 communication:
I’ve gathered the following samples:
- Stage 1 downloaded from the fake antivirus warning website: f67369ff8f2e78a09f5fe80a4ca58dadfda766a24775afcf0c793b47ca124cba
- Stage 2 downloaded via the stage 1 loader: 80e364d140162049f05cbb5bed17ad7348d2f9aff37d2281f83706c4af66be09
- Encoded stage 3 (not present on disc due to it being embedded) eac07d10a5cc52c26b72bb43f2ffa30e6e8da7c2bb18c0786d756755ec99e832
- Related sample from 7 months agoc50d60fced994896e0b2ad11cac798f9d10db4019fa08c977a2cf4042e6ab798