Malware: njRAT

Description

[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)

External References

• mitre-attack
• FireEye Njw0rm Aug 2013
• Fidelis njRAT June 2013
• Trend Micro njRAT 2018

Techniques Used by This Malware

• T1005 — Data from Local System
• T1010 — Application Window Discovery
• T1012 — Query Registry
• T1018 — Remote System Discovery
• T1021.001 — Remote Desktop Protocol
• T1027.004 — Compile After Delivery
• T1027.013 — Encrypted/Encoded File
• T1033 — System Owner/User Discovery
• T1041 — Exfiltration Over C2 Channel
• T1056.001 — Keylogging
• T1057 — Process Discovery
• T1059.001 — PowerShell
• T1059.003 — Windows Command Shell
• T1070.004 — File Deletion
• T1070.009 — Clear Persistence
• T1071.001 — Web Protocols
• T1082 — System Information Discovery
• T1083 — File and Directory Discovery
• T1091 — Replication Through Removable Media
• T1105 — Ingress Tool Transfer
• T1106 — Native API
• T1112 — Modify Registry
• T1113 — Screen Capture
• T1120 — Peripheral Device Discovery
• T1125 — Video Capture
• T1132.001 — Standard Encoding
• T1547.001 — Registry Run Keys / Startup Folder
• T1555.003 — Credentials from Web Browsers
• T1562.004 — Disable or Modify System Firewall
• T1568.001 — Fast Flux DNS
• T1571 — Non-Standard Port

APT Groups Using This Malware

• Aquatic Panda
• Transparent Tribe
• TA2541
• APT41
• Group5
• Gorgon Group
• LazyScripter