njRAT, a remote access trojan that was discovered in 2012 has been found stealing data from compromised devices under the guise of TeamViewer. TeamViewer is a software application offering remote support and control access among other services. It was found that njRAT targeting TeamViewer users captured keystrokes and took screenshots besides stealing passwords.
njRAT targeting TeamViewer users
njRAT targeting TeamViewer users was found accessing the webcam, and microphone, and exfiltrating data from the compromised devices. njRAT could steal system information including the Windows operating system version, service pack, username, system architecture, registry keys, and service pack.
The accessed data was encoded using the base64 encoding scheme for exfiltration. The njRAT targeting TeamViewer downloaded both itself and the legitimate TeamViewer application onto the compromised device.
However, before the user could access the legitimate TeamViewer app, njRAT would conduct the malicious activities it is programmed to.
A Cyble blog confirmed that the njRAT, also called Bladabindi was primarily used against organizations in the Middle Eastern nations. The njRAT created a dedicated thread to monitor keystrokes using the GetAsyncKeyState function.
“The thread operates continuously with a delay interval of 1 ms between each iteration, allowing for ongoing monitoring of keystrokes and storage of the captured data,” the Cyble blog post added.
Besides targeting the TeamViewer application to spread itself, the njRAT uses phishing campaigns, and drive-by downloads to do the same.
Researchers from the Cyble Research and Intelligence Labs (CRIL) analyzed njRAT malware samples and noted that it was a 32-bit Smart Installer. “Upon execution, the installer drops two files in the Windows folder, and the names of these files include the term “TeamViewer,” the Cyble blog noted.
“One of the files dropped in the Windows folder is njRAT, while the other is a genuine, TeamViewer application,” the Cyble blog further added.
The legitimate TeamViewer application would execute with the malicious file with njRAT named “TeamViewer Starting.exe.” It would show a user window asking to Accept and Finish the installation of the TeamViewer application as shown below –
Evasive njRAT targeting TeamViewer users
The njRAT targeting TeamViewer users would install itself in a way that would make it difficult to notice. It would do so by using a filename similar to a legitimate Windows file.
The njRAT using TeamViewer to launch itself also created a mutex to prevent launching the same infection twice in the same device. The mutex found by CRIL researchers was named “01b5fcf8ce2fab8868e80b6c1f912fe” and it was hardcoded into the njRAT binary.
It was found adjusting security settings and creating a firewall regulation to take commands from the Command and Control server. The njRAT targeting TeamViewer would become dormant in the absence of receiving any commands from hackers controlling it.
The njRAT targeting TeamViewer also copied itself to the startup directory so it runs automatically at every system boot-up.
Cyble noted steps to avoid risk and threat from the njRAT malware. Download applications from official app stores and not from third-party websites or pop-ups. Make sure automatic updates are effective and check for updates manually, and regularly.
Run the anti-virus on each device and do not click on any link or download files in emails not trusted or relevant to the receiver.