Detecting njRAT malware with Wazuh
njRAT, also known as Bladabindi, is a remote access trojan (RAT) designed to allow an attacker remotely control an infected Windows endpoints. The malware gained significant attention in 2020 after being distributed through a cracked version of VMWare software. As of August 2023, ANY.RUN reports that njRAT’s recent outbreak has established its position as one of the top three RATs of choice for cybercriminals. The malware is built on the .NET framework and allows attackers to activate computer webcams, log keystrokes, steal passwords, and manipulate files and the system registry.
njRAT employs various techniques to evade detection. These techniques include the use of multiple .NET obfuscators to conceal its code, disguising itself as a critical process, and deactivating processes associated with antivirus software.
In this blog post, we utilize Wazuh to detect malicious activities associated with the njRAT malware on an infected Windows endpoint.
Analyzed IOC
The file hashes of the analyzed sample of njRAT malware are listed below:
| MD5 | a99198757eb9c7f3d031a1224cbc9255 |
| SHA1 | f08373c82fb240e8ffc00d60f759f8731809c970 |
| SHA256 | 79870d97f8b51763d001c7935c895589c6f29573b45a0c98da4c430c7f676937 |
njRAT malware behavior
njRAT exhibits several behaviors when executed on a Windows endpoint. Some of these behaviors include the following:
- njRAT creates a copy of itself in the
C:\Users\*\AppData\Local\Tempfolder and Windows root directoryC:\. - The malware runs a network shell (netsh) command that alters the local firewall settings on the victim’s endpoint and adds itself to the list of allowed programs.
netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE
- njRAT maintains persistence by creating two registry keys in the Windows registry. The
Runkeys are created in theHKUandHKLMhives.
HKU\\S-1-5-21-1605714558-552561641-297346831-500\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\84936d0927c52cbf1a9c1029911fc028 HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\84936d0927c52cbf1a9c1029911fc028
It also adds itself to Windows startup programs on the victim endpoint. This ensures that the malware survives system reboot.
C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\84936d0927c52cbf1a9c1029911fc028.exe
- The malware initiates an external network communication with a command and control infrastructure.
Infrastructure
To demonstrate the detection of njRAT with Wazuh, we use the following infrastructure.
- A pre-built, ready-to-use Wazuh OVA 4.5.0. Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
- A Windows 11 victim endpoint with Wazuh agent 4.5.0 installed and enrolled to the Wazuh server. To install the Wazuh agent, refer to the Wazuh Windows installation guide.
Wazuh detection
We use the following techniques to detect the njRAT malware on the infected Windows endpoint:
- Using custom detection rules: We use custom rules to detect njRAT activities on an infected Windows endpoint.
- Scanning files for malicious patterns using the Yara integration with Wazuh.
Detection rules
We use Sysmon to monitor several system events on the Windows endpoint and create rules on the Wazuh server to detect the malicious activities of njRAT malware.
Windows endpoint
Perform the following steps to configure the Wazuh agent to capture Sysmon logs and send them to the Wazuh server for analysis.
1. Download Sysmon from the Microsoft Sysinternals page.
2. Extract the compressed Sysmon file to your preferred location.
3. Download the Sysmon configuration file – sysmonconfig.xml using Powershell. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
5. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to collect and forward Sysmon events to the Wazuh server:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
6. Restart the Wazuh agent to apply the configuration changes:
> Restart-Service -Name wazuh
Wazuh server
In this section, we create rules to detect njRAT malware behavior on the endpoint.
1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:
<group name="njrat,">
<!-- Rogue file creation in Temp folder-->
<rule id="100201" level="15">
<if_sid>92213</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[c-z]:(\\\\Users\\\\.+\\\\)</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<description>Suspicious executable file dropped in Temp folder.</description>
<mitre>
<id>T1105,T1036</id>
</mitre>
</rule>
<!-- New process started from Temp folder-->
<rule id="100202" level="12">
<if_sid>61603</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">(?i)\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<field name="win.eventdata.parentImage" type="pcre2">(?i)[c-z]:(\\\\Users\\\\.+\\\\)</field>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<description>New process $(win.eventdata.image) started from the Temp folder.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
<!-- Network shell detected-->
<rule id="100203" level="15">
<if_sid>92042</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">netsh firewall add allowedprogram</field>
<field name="win.eventdata.parentImage" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<description>Netsh command invoked. njRAT activity detected. $(win.eventdata.parentImage) added to allowed programs.</description>
<mitre>
<id>T1562.004</id>
</mitre>
</rule>
<!-- Persistence detection -->
<rule id="100204" level="15" ignore="600">
<if_sid>92300</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<field name="win.eventdata.eventType" type="pcre2">(?i)SetValue</field>
<field name="win.eventdata.targetObject" type="pcre2">(?i)\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\[A-Za-z0-9]+</field>
<description>njRAT malware detected. njRAT Run key added to HKU registry hive for persistence.</description>
<mitre>
<id>T1547.001</id>
</mitre>
</rule>
<rule id="100205" level="15" ignore="600">
<if_sid>92300</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[c-z]:\\\\Users\\\\.+\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<field name="win.eventdata.eventType" type="pcre2">(?i)SetValue</field>
<field name="win.eventdata.targetObject" type="pcre2">(?i)\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\[A-Za-z0-9]+</field>
<description>njRAT malware detected. njRAT Run key added to HKLM registry hive for persistence.</description>
<mitre>
<id>T1547.001</id>
</mitre>
</rule>
<rule id="100206" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)\\\\Programs\\\\Startup\\\\.+\.exe</field>
<description>Suspicious activity detected. $(win.eventdata.image) added an executable to Startup programs.</description>
<mitre>
<id>T1547.001</id>
</mitre>
</rule>
<!-- Rogue file creation in root directory-->
<rule id="100207" level="12">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)C:\\\\[A-Za-z]+\.[A-Za-z]+</field>
<description>$(win.eventdata.image) added a suspicious executable to the root directory.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
<!-- Suspicious network communications -->
<rule id="100208" level="12" ignore="600">
<if_sid>61650</if_sid>
<field name="win.system.eventID">^22$</field>
<field name="win.eventdata.image" type="pcre2">(?i)\\\\AppData\\\\Local\\\\Temp\\\\.+\.exe</field>
<description>Suspicious DNS query event. $(win.eventdata.image) queried an external domain ($(win.eventdata.queryName)).</description>
<mitre>
<id>T1071</id>
</mitre>
</rule>
</group>
Where:
- Rule ID
100201is triggered when njRAT creates a malicioussystem.exefile in theC:\Users\*\AppData\Local\Tempfolder. - Rule ID
100202is triggered when thesystem.exein theC:\Users\*\AppData\Local\Tempfolder file is executed from the command line. - Rule ID
100203is triggered when njRAT initiates a Netsh command to add itself to the allowed program list on the victim endpoint. - Rule IDs
100204and100205are triggered when njRAT adds itself to the Windows registry to maintain persistence. - Rule ID
100206is triggered when the malware adds itself to startup programs to ensure its execution after reboot. - Rule ID
100207is triggered when njRAT creates a copy of itself in the victim endpoint root directory. - Rule ID
100208is triggered when the malware attempts to establish a network connection.
2. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager
Detection results
Below is the screenshot of the alerts generated on the Wazuh dashboard when njRAT is executed on the victim endpoint. Navigate to the Security events tab to view the generated alerts.
YARA integration
YARA is a versatile open source and multi-platform tool that identifies and classifies malware samples based on their textual or binary patterns. In this blog post, we use the Wazuh active response module to automatically execute a YARA scan on files added or modified in the Downloads folder.
Windows endpoint
Download and install the following packages on the victim endpoint. These are required to download and install YARA.
1. Python v 3.8.7 or later (with pip pre-installed). Check the following boxes on the Python installation dialog box:
- Install launcher for all users.
- Add
Python.exeto PATH. This places the interpreter in the execution path.
2. Microsoft Visual C++ 2015 Redistributable.
After installing the above packages, follow the steps below to download the YARA executable:
1. Launch PowerShell with administrator privileges and download YARA:
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.3.2/yara-4.3.2-2150-win64.zip -OutFile v4.3.2-2150-win64.zip
2. Extract the YARA executable:
> Expand-Archive v4.3.2-2150-win64.zip
3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\' > cp .\v4.3.2-2150-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
Follow the steps below to download YARA rules:
1. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility. The valhallaAPI is used to retrieve the public signature-base YARA ruleset:
> pip install valhallaAPI
2. Create the file download_yara_rules.py, and copy the following script into it:
from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
fh.write(response)
3. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder:
> python download_yara_rules.py > mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\' > cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
4. Edit the C:\Program Files e(x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar file and add the following njRAT YARA rules:
rule njRAT {
meta:
author = "Adedamola Okelola"
date = "2023-08-10"
description = "njRAT executable detection"
threat_name = "Windows.Trojan.njRAT"
tlp = "TLP:WHITE"
operating_system = "windows"
version = "v1.0"
strings:
$a1 = { 24 65 66 65 39 65 61 64 63 2D 64 34 61 65 2D 34 62 39 65 2D 62 38 61 62 2D 37 65 34 37 66 38 64 62 36 61 63 39 }
$a2 = "get_Registry" ascii fullword
$a3 = "SEE_MASK_NOZONECHECKS" wide fullword
$a4 = "Execute ERROR" wide fullword
$a5 = "Download ERROR" wide fullword
$a6 = "[k1]" wide fullword
$a7 = "cmd.exe /c ping 0 -n 2 & del \"" wide fullword
$a8 = "netsh firewall add allowedprogram \"" wide fullword
$a9 = "[+] System : " wide fullword
$a10 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
condition:
5 of them
}
5. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf file and add the below configuration within the <syscheck> block to monitor the Downloads folders of all users in real-time:
<directories realtime="yes">C:\Users\*\Downloads</directories>
Note: In this blog post, the Downloads folders of all users are monitored. However, you can configure other folders you wish to monitor.
6. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder. The active response module uses this file to perform YARA scans for malware detection and removal:
:: This script deletes njRAT as well as other malicious files matched by the YARA Rules
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
:: Deleting the scanned file.
del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path%
) else (
echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)
)
exit /b
7. Restart the Wazuh agent using PowerShell for the changes to take effect:
> Restart-Service -Name wazuh
Wazuh server
Follow the steps below to configure rules, custom decoders, and active response on the Wazuh server.
1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml file. These rules will generate alerts about files that are added or modified in the Downloads directory on the monitored endpoint:
<group name= "syscheck,">
<rule id="100029" level="7">
<if_sid>550</if_sid>
<field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
<description>File modified in the Downloads folder.</description>
</rule>
<rule id="100030" level="7">
<if_sid>554</if_sid>
<field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
<description>File added to the Downloads folder.</description>
</rule>
</group>
Where:
- Rule ID
100029is triggered when a file is modified in theDownloadsdirectory. - Rule ID
100030is triggered when a file is added to theDownloadsdirectory.
2. Add the following configuration to the /var/ossec/etc/ossec.conf file within the <ossec_config> block:
<command> <name>yara</name> <executable>yara.bat</executable> <timeout_allowed>no</timeout_allowed> </command> <active-response> <command>yara</command> <location>local</location> <rules_id>100029,100030</rules_id> </active-response>
The Wazuh active response module executes the yara.bat script when a file is added or modified in the Downloads folder.
Where:
<name>specifies the name of the command being called in the active response section.<executable>specifies the executable file to run.<command>specifies the command that will be used by the active response.- The
<active response>block calls the<command>block when the rule ID100029or100030is triggered. <location>specifies where the active response script is executed.
3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the active response script:
<decoder name="yara_decoder">
<prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
<parent>yara_decoder</parent>
<regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
<order>log_type, yara_rule, yara_scanned_file</order>
</decoder>
<decoder name="yara_decoder1">
<parent>yara_decoder</parent>
<regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
<order>log_type, yara_rule, yara_scanned_file</order>
</decoder>
<decoder name="yara_decoder1">
<parent>yara_decoder</parent>
<regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
<order>log_type, yara_rule, yara_scanned_file</order>
</decoder>
4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml to alert when there is a YARA active response action:
<!-- Rule for the decoder (yara_decoder) -->
<group name="yara,">
<rule id="100031" level="0">
<decoded_as>yara_decoder</decoded_as>
<description>Yara grouping rule</description>
</rule>
<!-- YARA scan detects a positive match -->
<rule id="100032" level="12">
<if_sid>100031</if_sid>
<match type="pcre2">wazuh-yara: INFO - Scan result: </match>
<description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
</rule>
<!-- Wazuh successfully deletes malware with a positive match -->
<rule id="100033" level="12">
<if_sid>100031</if_sid>
<match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
<description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
</rule>
<!-- Wazuh encounters an error when deleting malware with a positive match -->
<rule id="100034" level="12">
<if_sid>100031</if_sid>
<match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
<description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
</rule>
</group>
Where:
- Rule ID
100031is the base rule for detecting YARA events. - Rule ID
100032is triggered when YARA scans and detects a malicious file. - Rule ID
100033is triggered when the detected file has been successfully removed by Wazuh active response. - Rule ID
100034is triggered when the detected file is not removed successfully by Wazuh active response.
5. Restart the Wazuh manager for the changes to take effect:
$ sudo systemctl restart wazuh-manager
Detection results
The Wazuh dashboard generates alerts when njRAT is downloaded to the Downloads folder of the victim endpoint. Navigate to the Security events tab to view the generated alerts.
Conclusion
njRAT is a rampant remote access trojan that gives attackers control over an infected endpoint. In the blog post, we used Sysmon integration with Wazuh to detect the behavior of njRAT. We also used YARA integration with Wazuh to detect and remove njRAT once it was downloaded to the monitored endpoint.
Wazuh is a free and open source enterprise-ready security solution for threat detection, incident response, and compliance. You can integrate Wazuh with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.