njRAT upgraded to push Lime Ransomware and a Bitcoin wallet stealer

Share this…

The njRAT, also famed as Bladabindi, has been upgraded to push Lime Ransomware and a Bitcoin wallet stealer. According to a Zscaler blog post, this trojan was first spotted in 2013 and has remained one of the most prevalent malware families using multiple .NET obfuscation tools that make detection difficult for antivirus solutions and that hinder analysis by information security training researchers.

The malware was developed using the Microsoft .NET framework and uses multiple .NET obfuscation tools to make detection difficult for antivirus solutions and that hinder analysis by security researchers.


The malware also uses dynamic DNS for command-and-control (C2) servers and communicates using a custom TCP protocol over a configurable port the blog said.

Deepen Desai, Zscaler’s senior director for information security training research and operations told the source of the malware is unclear, but that researchers know the payload is being served from a server in Australia that is hosting a compromised site.

Seventy percent of the users affected were in South America, while the remaining 30 percent were in North America. The new RAT variant added ransomware and Bitcoin wallet stealing features which appear to contradict each other in practice.

“This is an interesting development, especially the ransomware feature, given that RATs by nature operate in stealth,” Desai said. “Ransomware on the other hand will reveal the infection.”

The information security training professional added the, author is taking a shortcut by stealing existing wallets, but it said he wouldn’t be surprised if the author also adds support for mining Bitcoin on the compromised system in a future variants.

The njRAT variant has the capability of performing ARME and Slowloris DDoS attacks.

The information security training experts described Slowloris as an attack tool designed to allow a single machine to take down a server with minimal bandwidth, send multiple partial HTTP requests, and to keep many connections to the target web server open and hold them open as long as possible.

“The malware also has a WORM functionality to spread through USB that enumerates the files and folders on the hard drive,” analysts said in the post. “Once it detects the USB drive inserted into the system, it copies itself to the USB drive and creates a shortcut using the folder icon.”

As per recommendation of the information security training professionals, the best way to prevent infection is for a user to follow standard security best practices when handling e-mails from external sources as the malware is known to be spread via malicious email links.