njRAT

njRAT (also Bladabindi) is a remote access trojan (RAT) that allows attackers to control infected Windows machines. First seen in 2012 it’s been popular due to its feature rich and online tutorials making it accessible to a wide range of cybercriminals.

Key Insights

njRAT has a full set of features to execute remote shell commands, upload/download files, capture screenshots, log keystrokes, and even access the victim's camera and microphone. It’s a very versatile tool for espionage and data theft.

The malware spreads through phishing emails, malicious links, and compromised applications. It has been distributed through popular platforms like Discord and cracked software versions so it’s reaching a wide range of unsuspecting users.

Despite being old njRAT is still around due to continuous updates and new variants. Its presence in the threat landscape shows how important is to have robust security to detect and mitigate it.

Known Variants

Several njRAT variants have been seen over the years including Njw0rm which can spread through removable devices like USB drives.

Mitigation Strategies

Filter emails.
Patch everything.
Use Antivirus software.
Warn users not to download and execute files from unknown sources

Targeted Industries or Sectors

njRAT has been used against Middle East targets including government and energy sector organizations. Since it’s widely available it can be used against any industry worldwide.

Associated Threat Actors

The malware has been used by various threat actors mainly from Middle East. Specific groups are Earth Bogle which used njRAT in campaigns that distributed malware through public cloud storage sites.