njRAT, also known as Bladabindi, is a remote access trojan (RAT) designed to allow an attacker  remotely control an infected Windows endpoints. The malware gained significant attention in 2020 after being distributed through a cracked version of VMWare software. As of August 2023, ANY.RUN reports that njRAT’s recent outbreak has established its position as one of the top three RATs of choice for cybercriminals. The malware is built on the .NET framework and allows attackers to activate computer webcams, log keystrokes, steal passwords, and manipulate files and the system registry. 

njRAT employs various techniques to evade detection. These techniques include the use of multiple .NET obfuscators to conceal its code, disguising itself as a critical process, and deactivating processes associated with antivirus software.

In this blog post, we utilize Wazuh to detect malicious activities associated with the njRAT malware on an infected Windows endpoint.

Analyzed IOC

The file hashes of the analyzed sample of njRAT malware are listed below:

MD5a99198757eb9c7f3d031a1224cbc9255
SHA1f08373c82fb240e8ffc00d60f759f8731809c970
SHA25679870d97f8b51763d001c7935c895589c6f29573b45a0c98da4c430c7f676937

njRAT malware behavior

njRAT exhibits several behaviors when executed on a Windows endpoint. Some of these behaviors include the following:

  • njRAT creates a copy of itself in the C:\Users\*\AppData\Local\Temp folder and Windows root directory C:\.
  • The malware runs a network shell (netsh) command that alters the local firewall settings on the victim’s endpoint and adds itself to the list of allowed programs.
netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE
  • njRAT maintains persistence by creating two registry keys in the Windows registry. The Run keys are created in the HKU and HKLM hives.
HKU\S-1-5-21-1605714558-552561641-297346831-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\84936d0927c52cbf1a9c1029911fc028

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\84936d0927c52cbf1a9c1029911fc028

It also adds itself to Windows startup programs on the victim endpoint. This ensures that the malware survives system reboot.

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84936d0927c52cbf1a9c1029911fc028.exe
  • The malware initiates an external network communication with a command and control infrastructure.

Infrastructure

To demonstrate the detection of njRAT with Wazuh, we use the following infrastructure.

  • A pre-built, ready-to-use Wazuh OVA 4.5.0. Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
  • A Windows 11 victim endpoint with Wazuh agent 4.5.0 installed and enrolled to the Wazuh server. To install the Wazuh agent, refer to the Wazuh Windows installation guide.

Wazuh detection

We use the following techniques to detect the njRAT malware on the infected Windows endpoint:

  • Using custom detection rules: We use custom rules to detect njRAT activities on an infected Windows endpoint.
  • Scanning files for malicious patterns using the Yara integration with Wazuh.

Detection rules

We use Sysmon to monitor several system events on the Windows endpoint and create rules on the Wazuh server to detect the malicious activities of njRAT malware.

Windows endpoint

Perform the following steps to configure the Wazuh agent to capture Sysmon logs and send them to the Wazuh server for analysis.

1. Download Sysmon from the Microsoft Sysinternals page.

2. Extract the compressed Sysmon file to your preferred location. 

3. Download the Sysmon configuration file – sysmonconfig.xml using Powershell. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.

> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml

4. Switch to the directory with the Sysmon executable. Run the command below to install and start Sysmon using PowerShell with Administrator privileges:

> .\Sysmon64.exe -accepteula -i sysmonconfig.xml

5. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to collect and forward Sysmon events to the Wazuh server:

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the configuration changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect njRAT malware behavior on the endpoint. 

1. Add the rules below to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="njrat,">

  <!-- Rogue file creation in Temp folder--> 
  <rule id="100201" level="15">
    <if_sid>92213</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[c-z]:(\\Users\\.+\\)</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Local\\Temp\\.+\.exe</field>
    <description>Suspicious executable file dropped in Temp folder.</description>
    <mitre>
      <id>T1105,T1036</id>
    </mitre>
  </rule>

  <!-- New process started from Temp folder--> 
  <rule id="100202" level="12">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)\\AppData\\Local\\Temp\\.+\.exe</field>
    <field name="win.eventdata.parentImage" type="pcre2">(?i)[c-z]:(\\Users\\.+\\)</field>
    <field name="win.eventdata.image" type="pcre2">(?i)\\AppData\\Local\\Temp\\.+\.exe</field>
    <description>New process $(win.eventdata.image) started from the Temp folder.</description>
    <mitre>
      <id>T1105</id>
    </mitre>
  </rule>
  
  <!-- Network shell detected-->  
  <rule id="100203" level="15">
    <if_sid>92042</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">netsh firewall add allowedprogram</field>
    <field name="win.eventdata.parentImage" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Local\\Temp\\.+\.exe</field>
    <description>Netsh command invoked. njRAT activity detected. $(win.eventdata.parentImage) added to allowed programs.</description>
    <mitre>
      <id>T1562.004</id>
    </mitre>
  </rule>
  
  <!-- Persistence detection -->  
  <rule id="100204" level="15" ignore="600">
    <if_sid>92300</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Local\\Temp\\.+\.exe</field>
    <field name="win.eventdata.eventType" type="pcre2">(?i)SetValue</field>
    <field name="win.eventdata.targetObject" type="pcre2">(?i)\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\[A-Za-z0-9]+</field>
    <description>njRAT malware detected. njRAT Run key added to HKU registry hive for persistence.</description>
    <mitre>
      <id>T1547.001</id>
    </mitre>
  </rule>

  <rule id="100205" level="15" ignore="600">
    <if_sid>92300</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)[c-z]:\\Users\\.+\\AppData\\Local\\Temp\\.+\.exe</field>
    <field name="win.eventdata.eventType" type="pcre2">(?i)SetValue</field>
    <field name="win.eventdata.targetObject" type="pcre2">(?i)\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\[A-Za-z0-9]+</field>
    <description>njRAT malware detected. njRAT Run key added to HKLM registry hive for persistence.</description>
    <mitre>
      <id>T1547.001</id>
    </mitre>
  </rule>

  <rule id="100206" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\AppData\\Local\\Temp\\.+\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)\\Programs\\Startup\\.+\.exe</field>
    <description>Suspicious activity detected. $(win.eventdata.image) added an executable to Startup programs.</description>
    <mitre>
      <id>T1547.001</id>
    </mitre>
  </rule>

  <!-- Rogue file creation in root directory--> 
  <rule id="100207" level="12">
    <if_sid>61613</if_sid>
    <field name="win.eventdata.image" type="pcre2">(?i)\\AppData\\Local\\Temp\\.+\.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)C:\\[A-Za-z]+\.[A-Za-z]+</field>
    <description>$(win.eventdata.image) added a suspicious executable to the root directory.</description>
    <mitre>
      <id>T1105</id>
    </mitre>
  </rule>
  
  <!-- Suspicious network communications --> 
  <rule id="100208" level="12" ignore="600">
    <if_sid>61650</if_sid>
    <field name="win.system.eventID">^22$</field>
    <field name="win.eventdata.image" type="pcre2">(?i)\\AppData\\Local\\Temp\\.+\.exe</field>
    <description>Suspicious DNS query event. $(win.eventdata.image) queried an external domain ($(win.eventdata.queryName)).</description>
    <mitre>
      <id>T1071</id>
    </mitre>
  </rule>

  
  </group>

Where:

  • Rule ID 100201 is triggered when njRAT creates a malicious system.exe file in the C:\Users\*\AppData\Local\Temp folder.
  • Rule ID 100202 is triggered when the system.exe in the C:\Users\*\AppData\Local\Temp folder file is executed from the command line.
  • Rule ID 100203 is triggered when njRAT initiates a Netsh command to add itself to the allowed program list on the victim endpoint.
  • Rule IDs 100204 and 100205 are triggered when njRAT adds itself to the Windows registry to maintain persistence.
  • Rule ID 100206 is triggered when the malware adds itself to startup programs to ensure its execution after reboot.
  • Rule ID 100207 is triggered when njRAT creates a copy of itself in the victim endpoint root directory.
  • Rule ID 100208 is triggered when the malware attempts to establish a network connection.

2. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Detection results

Below is the screenshot of the alerts generated on the Wazuh dashboard when njRAT is executed on the victim endpoint. Navigate to the Security events tab to view the generated alerts.

njRAT

YARA integration

YARA is a versatile open source and multi-platform tool that identifies and classifies malware samples based on their textual or binary patterns. In this blog post, we use the Wazuh active response module to automatically execute a YARA scan on files added or modified in the Downloads folder.

Windows endpoint

Download and install the following packages on the victim endpoint. These are required to download and install YARA.

1. Python v 3.8.7 or later (with pip pre-installed). Check the following boxes on the Python installation dialog box:

  • Install launcher for all users.
  • Add Python.exe to PATH. This places the interpreter in the execution path.

2. Microsoft Visual C++ 2015 Redistributable.

After installing the above packages, follow the steps below to download the YARA executable:

1. Launch PowerShell with administrator privileges and download YARA:

> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.3.2/yara-4.3.2-2150-win64.zip -OutFile v4.3.2-2150-win64.zip

2. Extract the YARA executable:

> Expand-Archive v4.3.2-2150-win64.zip

3. Create a folder called C:\Program Files (x86)\ossec-agent\active-response\bin\yara\ and copy the YARA binary into it:

> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.3.2-2150-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'

Follow the steps below to download YARA rules:

1. Using the same PowerShell terminal launched earlier, install valhallaAPI using the pip utility. The valhallaAPI is used to retrieve the public signature-base YARA ruleset:

> pip install valhallaAPI

2. Create the file download_yara_rules.py, and copy the following script into it:

from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)

3. Download YARA rules and copy them to the C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\ folder:

> python download_yara_rules.py 
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'

4. Edit the C:\Program Files e(x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar file and add the following njRAT YARA rules:

rule njRAT {

    meta:
        author                      = "Adedamola Okelola"
        date                        = "2023-08-10"
        description                 = "njRAT executable detection"
        threat_name                 = "Windows.Trojan.njRAT"
        tlp                         = "TLP:WHITE"
        operating_system            = "windows"
        version                     = "v1.0"

    strings:
        $a1  = { 24 65 66 65 39 65 61 64 63 2D 64 34 61 65 2D 34 62 39 65 2D 62 38 61 62 2D 37 65 34 37 66 38 64 62 36 61 63 39 }
        $a2  = "get_Registry" ascii fullword
        $a3  = "SEE_MASK_NOZONECHECKS" wide fullword
        $a4  = "Execute ERROR" wide fullword
        $a5  = "Download ERROR" wide fullword
        $a6  = "[k1]" wide fullword
        $a7  = "cmd.exe /c ping 0 -n 2 & del \"" wide fullword
        $a8  = "netsh firewall add allowedprogram \"" wide fullword
        $a9  = "[+] System : " wide fullword
        $a10 = "Software\Microsoft\Windows\CurrentVersion\Run" wide

    condition:
        5 of them
}

5. Edit the C:\Program Files (x86)\ossec-agent\ossec.conf file and add the below configuration within the <syscheck> block to monitor the Downloads folders of all users in real-time:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Note: In this blog post, the Downloads folders of all users are monitored. However, you can configure other folders you wish to monitor.

6. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder. The active response module uses this file to perform YARA scans for malware detection and removal:

:: This script deletes njRAT as well as other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor
> Restart-Service -Name wazuh
" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT if %OS%==32BIT ( SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log" ) if %OS%==64BIT ( SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log" ) set input= for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do ( set input=%%a ) set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt" set syscheck_file_path= echo %input% > %json_file_path% FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO ( SET syscheck_file_path=%%F ) set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe" set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar" echo %syscheck_file_path% >> %log_file_path% for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do ( echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path% :: Deleting the scanned file. del /f "%syscheck_file_path%" >nul 2>&1 if exist "%syscheck_file_path%" ( echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path% ) else ( echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path% ) ) exit /b

7. Restart the Wazuh agent using PowerShell for the changes to take effect:

<group name= "syscheck,">
  <rule id="100029" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

  <rule id="100030" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

Wazuh server

Follow the steps below to configure rules, custom decoders, and active response on the Wazuh server.

1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml file. These rules will generate alerts about files that are added or modified in the Downloads directory on the monitored endpoint:

<command>
  <name>yara</name>
  <executable>yara.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>
<active-response>
  <command>yara</command>
  <location>local</location>
  <rules_id>100029,100030</rules_id>
</active-response>

Where:

  • Rule ID 100029 is triggered when a file is modified in the Downloads directory.
  • Rule ID 100030 is triggered when a file is added to the Downloads directory.

2. Add the following configuration to the /var/ossec/etc/ossec.conf file within the <ossec_config> block:

<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>
<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

The Wazuh active response module executes the yara.bat script when a file is added or modified in the Downloads folder.

Where:

  • <name> specifies the name of the command being called in the active response section.
  • <executable> specifies the executable file to run.
  • <command> specifies the command that will be used by the active response.
  • The <active response> block calls the <command> block when the rule ID 100029 or 100030 is triggered.
  • <location> specifies where the active response script is executed.

3. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the active response script:

<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="100031" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

<!--  YARA scan detects a positive match -->
  <rule id="100032" level="12">
    <if_sid>100031</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh successfully deletes malware with a positive match -->
  <rule id="100033" level="12">
    <if_sid>100031</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="100034" level="12">
    <if_sid>100031</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

4. Create custom rules in the /var/ossec/etc/rules/local_rules.xml to alert when there is a YARA active response action:

$ sudo systemctl restart wazuh-manager

Where:

  • Rule ID 100031 is the base rule for detecting YARA events.
  • Rule ID 100032 is triggered when YARA scans and detects a malicious file.
  • Rule ID 100033 is triggered when the detected file has been successfully removed by Wazuh active response.
  • Rule ID 100034 is triggered when the detected file is not removed successfully by Wazuh active response.

5. Restart the Wazuh manager for the changes to take effect:

$ sudo systemctl restart wazuh-manager

Detection results

The Wazuh dashboard generates alerts when njRAT is downloaded to the Downloads folder of the victim endpoint. Navigate to the Security events tab to view the generated alerts.

Conclusion

njRAT is a rampant remote access trojan that gives attackers control over an infected endpoint. In the blog post, we used Sysmon integration with Wazuh to detect the behavior of njRAT. We also used YARA integration with Wazuh to detect and remove njRAT once it was downloaded to the monitored endpoint.

Wazuh is a free and open source enterprise-ready security solution for threat detection, incident response, and compliance. You can integrate Wazuh with third-party solutions and technologies. Wazuh also has an ever-growing community where users are supported. To learn more about Wazuh, please check out our documentation and blog posts.

References