Press "Enter" to skip to content

How njRAT Backdoor is infecting PCs

How njRAT Backdoor is infecting PCs

The backdoor. njRat might be distributed by using different methods. The software may be packaged along with free online software’s or can be disguised to look like a simple program and distributed via email. Moreover, the software can be installed through websites using different software vulnerabilities. This kind of infections usually occurs in a way that the user does not know about them that it is causing specific issues to the computer system njRAT v0.7d Green Edition.

Breaker and guardian of traditions

While Janeleiro follows the same plan for the core deployment of its fake pop-ups, along with other malware families that ESET has. documented in the region, it differs from those malware families in several ways:

  • It is written in Visual Basic .NET: The curious case of Brazil is that it is mainly targeted by banking Trojans developed in Delphi, the programming language of choice for various threat actors who are apparently working together by sharing tools and infrastructure. Janeleiro’s preference for VB.NET is a notable departure from what appears to be the norm for the region.
  • No Binary Obfuscation: While Janeleiro uses light obfuscation by generating random names for its classes, modules, method names, parameters, and string encryption, it does not use wrappers to make detection and analysis more difficult. Other Trojans such as Grandoreiro, Mekotio, Ousaban, Vadokrist, and Guildma make heavy use of Themida and binary padding techniques.
  • No custom encryption algorithms: Janeleiro developers rely on the cryptographic functions provided by the .NET Framework as well as open source projects for string encryption/decryption, with a preference for AES and RSA algorithms. Trojans such as Casbaneiro, Grandoreiro, Amavaldo, Mispadu, and Guildma, among others, use custom encryption algorithms, including chain table obfuscation techniques.
  • Simple method of execution: The MSI installer does not implement any other components besides the main Trojan DLL or execute any other instructions besides loading and executing one of the DLL exports that is installed on the system. We have not found samples of an MSI installer that runs obfuscated scripts, unpacking support tools, or components for DLL sideloading, which is popular among other malware families in the region.
  • No defense against security software: Some of the largest banks in Brazil require their customers to install a security module before allowing access to their online banking accounts; for example, anti-fraud software from Warsaw. It often happens that LATAM banking Trojans try to find out if such software is installed on the compromised machine and inform the attackers. Some malware families like Grandoreiro and Guildma try to disable it in Windows Firewall or disable its driver.
  • Uses code from NjRAT: Janeleiro is far from being another incarnation of the well-known NjRAT, but it does use the NjRAT SocketClient and Remote Desktop capture functions, as well as various other functions. NjRAT is not commonly used, at least by LATAM Baking Trojans, perhaps due to their preference for using custom Trojans in Delphi. However, among other malware, NjRAT has been used in Operation Spalax , a campaign that specifically targets Colombia.

Be First to Comment

Leave a Reply

Your email address will not be published.