Threat Management, Malware, Security Strategy, Plan, Budget

njRAT equipped with Bitcoin wallet stealer and Lime ransomware

The njRAT, also known as Bladabindi, has been upgraded to push Lime Ransomware and a bitcoin wallet stealer.

This old time trojan was first spotted in 2013 and has remained one of the most prevalent malware families using multiple .NET obfuscation tools that make detection difficult for antivirus solutions and that hinder analysis by security researchers, according to an April 1 Zscaler blog post.

The malware was developed using the Microsoft .NET framework and uses multiple .NET obfuscation tools to make detection difficult for antivirus solutions and that hinder analysis by security researchers.

The malware also uses dynamic DNS for command-and-control (C2) servers and communicates using a custom TCP protocol over a configurable port the blog said.

Deepen Desai, Zscaler's senior director for security research and operations told SC Media the source of the malware is unclear, but that researchers know the payload is being served from a server in Australia that is hosting a compromised site.

Seventy percent of the users affected were in South America, while the remaining 30 percent were in North America. The new RAT variant added ransomware and bitcoin wallet stealing features which appear to contradict each other in practice.

“This is an interesting development, especially the ransomware feature, given that RATs by nature operate in stealth,” Desai said. “Ransomware on the other hand will reveal the infection.”

Desai added the, author is taking a shortcut by stealing existing wallets, but it said he wouldn't be surprised if the author also adds support for mining bitcoins on the compromised system in a future variants .

In addition, the njRAT variant has the capability of performing ARME and Slowloris DDoS attacks.

Researchers described Slowloris as an attack tool designed to allow a single machine to take down a server with minimal bandwidth, send multiple partial HTTP requests, and to keep many connections to the target web server open and hold them open as long as possible.

“The malware also has a WORM functionality to spread through USB that enumerates the files and folders on the hard drive,” researchers said in the post. “Once it detects the USB drive inserted into the system, it copies itself to the USB drive and creates a shortcut using the folder icon.”

The best way to prevent infection is for a user to follow standard security best practices when handling e-mails from external sources as the malware is known to be spread via malicious email links.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.