While investigating an unrelated threat I ran into a rather interesting njRat campaign.



It started with a website that was compromised and being abused as a 3rd layer C2 communication proxy. It seems those guys weren’t the only ones using it.

When visiting the websites’ main page I was greeted with an alert pop-up:

Analysis

Looking at the page title and message content I was expecting some kind of fake support or fake antivirus page; I was correct (for this part):Waiting the result of the scan I was prompted by the usual ‘you need help click here’ messages:When clicking one of the buttons (or the X close button, basically anything on the page) your browser was presented with a download of ‘Antivirus 2015’:

When running the 'Antivirus 2015’ payload the user is presented with a popup:

Display the popup with the message

Make sure the application (and its icon) aren’t shown in the taskbar

Decode a string of text (under Label_004D) which contains a link to a pastebin post

Download whatever is at this pastebin link

Use the content of the pastebin post as another URL and download data from it

The data obtained from the link inside the pastebin post is written to ’%temp%/notepad.exe’

Execute the ’%temp%/notepad.exe’ payload

The message (although in broken english) tells us we’re clear of any infections. If we check the startup entries via msconfig we can see something new was added running from our %temp% directory:We can see its there to stay, implementing persistance using startup keys a (very) old trick.While you might think the popup is due to the virtual machine setup or debugger being detected it actually isn’t. The 'Antivirus 2015’ payload is in fact a stage 1 dropper of something more interesting, the payload in the %temp% directory is a stage2 dropper with embedded stage 3.If you throw the 'Antivirus 2015’, stage 1, payload in a decompiler you will see its a small obfuscated loader written in C#. Its most important function shown here:The 'main’ function of this loader does the following:



The content of the pastebin post is a link to a file on ge.tt which is another PE file:

Hide itself from the taskbar

Reverse and base64 decode an embedded text string (The expression variable under Label_003C starting with a lot of A’s)

Take this buffer and feed it to a function called ’ss’

This payload is stage 2 of our infection and seems to be another loader in fact. If you decompile this one you will find its another C# written loader with similar 'obfuscation’ techniques for the main program flow:The thing is that instead of downloading another payload it in fact has an embedded Windows PE. The flow of this loader is:



The ’ss’ function is a classic way of executing a PE file from within C# code:

C2 origin

If we take out the 3rd layer of this attack (the embedded PE inside stage 2) we find its another C# application. This time it doesn’t hold anything like we’ve seen with the other loaders, its actually a (semi) large program with lots of functionality. Its structure and implemented functions made me think of a RAT. After running it in a sandbox with inetsim enabled to catch DNS requests and send them to a fake server I had a positive hit for njRAT. The traffic showed the classic njRAT checkin pattern:We can even confirm it by using the config decoder made by Kevin, you can get it here: RATDecoders / njRat.py The output from the tool tells us enough, its njRAT for sure:We can triple confirm it if we grab the startup entries we saw earlier and compare them to the configuration:

From the config we can see the C2 DNS it will resolve is ’supportoffice.likescandy.com’. This currently resolves to 188.55.84.43 which is an IP located in the consumer ADSL range in Saudi Arabia:

supportoffice.likescandy.com (188.51.198.199)

svchost.homelinux.com (188.51.198.199)

If we follow this C2 domain we can find a related sample on VirusTotal from 2014-10-15, a bit more than 7 months ago jpck22sj.exe . It connects to the following two C2 domains:



This IP is also located in a Saudi Arabia consumer ADSL IP pool:

Conclusion

If we follow this rabit hole further down we find another sample submitted a week after the previous one on 2014-10-22 By Hat_Mast3r.exe . With this sample the IPs had already been changed, ’supportoffice.likescandy.com’ was pointing to an IP in Iraq 37.238.165.11:While ’svchost.homelinux.com’, a secondary backup domain, pointed to again an IP in a Saudi Arabia consumer IP pool:

This campaign seems to be old but still running (although my infection wasn’t being manually controlled at the time). The first sample found was submitted 7 months ago.

The operation seems to originate from Saudi Arabia mostly; seeing its C2 IP is a home IP address and njRat does not support proxying C2 communciations over infectees. It means this was most likely the actual operator. I have no clue on the exact targets; the website I found was a Dutch website for a hobby group not a really high-ranked target. The spreading method of a fake antivirus website was also quite confusing, normally I see these things dropping FakeAV’s as I’ve written on in the past.



Overal an unusual but interesting campaign to keep an eye on, at least I will ;)





IOCs and Samples

I’ve gathered the following DNS entries being resolved related to infections of this campaign:

supportoffice.likescandy.com

svchost.homelinux.com

The following IP addresses were seen as being used for C2 communication:

37.238.165.11

90.148.243.180

188.51.198.199

188.55.84.43

I’ve gathered the following samples: