Trojan:MSIL/Njrat.NB!MTB

Trojan:MSIL/Njrat.NB!MTB spreads through phishing emails often disguised as procurement documents, drive-by downloads, and USB auto-run exploits. Recent campaigns employ steganography, embedding malicious payloads within bitmap resources of decoy .NET applications to bypass initial detection. Upon launch, it establishes persistence via multiple mechanisms: registry modifications like: 

• creating entries in HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run. 
• scheduled tasks via schtasks /create for persistence. 
• file system drops to %AppData% or %Temp% under deceptive names. 

To evade security software, njRAT uses process injection into real Windows processes like svchost.exe using VirtualAllocEx and CreateRemoteThread Windows APIs. It actively deactivates antivirus processes through the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy and alters Windows Firewall rules to insert explicit exemption to the filters to permit unrestricted traffic. Payloads are obfuscated with XOR encryption or RC4 algorithms, often hidden within resource sections of seemingly benign files. 

The core capabilities include surveillance activities such as live webcam activation, logging keystrokes to %Temp%\Log.tmp, taking screenshots, fetching browser stored passwords from different browser tabs via SQLite queries (harvesting cryptocurrency wallets), and remote control of the target device.  It hijacks the Windows hosts file to redirect update.microsoft.com URL to the loopback address (127.0.0.1), which will prevent Windows from fetching updates from Microsoft servers. 

It is capable of communicating with command and control (C2) servers over TCP port 1177 and uses Base64-encoded web requests through dynamic DNS domains and then uses fast-flux techniques to help avoid blocklisting an IP address. Harvested data is uploaded via HTTP POST requests to remote host controlled by the threat actors. It can also download modular plugins from either Pastebin or C2 servers for the trojan to receive updated instructions from its author. It can also fetch additional harmful payloads like ransomware using RSA 2048-bit encryption or real-time access script through VNC. 

Trojan:MSIL/Njrat.NB!MTB drops the following files: 

• %Temp%\sc.dll (screenshots) 
• %Temp%\kl.dll (for keylogging binary) 
• Files that pretend to be .pdf but are actual .exe files when File Explorer is set to hide filename extension. 
• %Public%\Documents\MediaPlayer.exe 
• %Temp%\Log.tmp (stores keystrokes) 
• %Temp%\~DF842C.tmp (additional binary components) 
• %AppData%\svchos.exe (misspelled to pretend as svchost.exe, the legitimate Windows system file)  

It also modifies the below processes: 

• msbuild.exe 
• conhost.exe 
• RegAsm.exe 
• MpSigStub.exe 

Modifies the following registry keys: 

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy (Adds rule: "Allow njRAT" preventing inbound/outbound blocks) 
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run (Adds entry: "Windows Media Player" = "%AppData%\svchos.exe") 
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced (Sets "Hidden"=1 and "ShowSuperHidden"=1 to hide files)

Connects to the following URLs: 

• dynuddns[.]net 
• web4solution[.]net 
• http://web4solution[.]net:1177/gate[.]php 
• http://dynuddns[.]net/update?hostname=<C2_ID>