njRAT, also known as Bladabindi, is a remote access tool originally written in .NET that has been observed in the wild since 2012. The source code of certain variants is publicly available and comes with a builder to create campaign-specific executables. Once built, the attacker must get the victim to execute the malware (normally achieved through mal-docs). njRAT has features such as remote desktop, keylogger, cam viewer, and remote shell that is all controlled via a CNC GUI.
- The malware is served and executed on the victim’s host server.
- The malware initiates CNC communication.
- CNC commands are issued to the infected host servers.
The attacker must have gained access to the victim host through some other vector.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.