![]() Upon seeing the command line that is actually run, WebBrowserPassView is installed as nirsoft.exe, and the web browser account information of the infected PC is created as browser.txt. For instance, HawkEye keylogger also uses WebBrowserPassView with the /stext argument. ![]() As such, the tool is often used by attackers. The attacker can give the /stext argument to run it, creating the extracted account information as a text file without GUI. As its name indicates, the program extracts and shows the account information saved in the web browser. There is a history of the attacker installing and running Nirsoft’s WebBrowserPassView tool. It is speculated that this is to install additional njRAT in case of C&C URLs being blocked.Ĭ&C URL of additional njRAT 1: discordpff.krokr:449Ĭ&C URL of additional njRAT 2: dltlgn071105.krokr:1 The attacker has changed files as well as C&C URLs when installing them. Next, the team will examine additional malware installed in the infected PC by the attacker using this njRAT malware. The attacker has been and is continuously adding features to evade analysis and detection. Such features are what distinguishes it from other types of njRAT that were introduced in previous blog posts. This is the attacker’s disruption technique which prevents malicious behaviors from being activated on security devices such as Sandbox. The title of the page is ‘ LostRuins-Chronos,’ and included in the page is an archive file named LostRuins.zip which contains game files.Ĭ&C URL of njRAT: ipipip1079.krokr:449īy including the time condition and implementing other restrictions, the attacker disallows files from being run on their own. The following is the malware that can be downloaded from a certain webhard. We do no know that the attacker directly uploaded it, or an uploader uploaded the downloaded file. ![]() Recently, there have also been cases of malware being distributed via webhards. Starting from this year, the attacker has been distributing njRAT with game installers mainly through torrents. In this post, the team will explain the distribution method and infection flow of the recently distributed njRAT, as well as the malware confirmed to have been additionally installed by the attacker. The njRAT malware was examined multiple times in the ASEC blog before.īecause a well-known malware such as njRAT is easily blocked by security programs, attackers are using various means to bypass detection. The most typical method is using torrents and webhards to distribute it under a disguise of a normal file. Because it provides various features such as file downloading, command execution, keylogging, and user account information extortion, it has been steadily used by attackers since the past.Īlso, since one can easily find builders on the Internet, the malware is distributed in various forms to target domestic users. NjRAT is a RAT malware that can perform various malicious activities after receiving commands from the attacker. Posted By jcleebobgatenet, JnjRAT Being Distributed through Webhards and Torrents ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |