RSA Admin

Detecting njRAT in Your Environment

Blog Post created by RSA Admin Employee on Jan 2, 2014

The "njRAT" Remote Access Trojan is a popular password stealing remote control applet used mostly by threat actors in the Middle East.  However, this trojan kit is widely available for download, and its ease of use has made this trojan pretty popular.  The FirstWatch team has developed a lightweight detection for this with a very simple rule. 

 

First, this is what the payload of njRAT looks like:

 

75421

The connections always begin with an "lv" and the next string shows that the victim host has been enumerated of its unique identifier, logged in user, Operating System and more.  The next system involves a screen capture of the local desktop.

 

Since this traffic is usually on the default TCP destination port of 1177, and the service type shows up as UNKNOWN or Service Type 0, a very simple rule would be:

service=0 && tcp.dstport=1177

 

However, many of the destinations that these trojans are intended to communicate with look to have been shut down, and while the endpoint is trojanized, it is unable to connect to its parent server, resulting in just syn connection attempts.  Advanced users may want to look for only established communications with payload.  So adding "&& payload exists" may make the detection more effective.

 

Here is the current view of the Middle Eastern participants enjoying njRAT access from our sandbox:

 

75422

Feedback as always is appreciated, and Happy Hunting!

Outcomes