njRAT is a rising star among the trojan viruses. It acts as a remote-access trojan (RAT), allowing the cybercriminals to take control of your PC without your allowance. Besides the remote controlling, njRAT is also able to allow the burglars to steal some of your data and log your keystrokes.
GridinSoft Anti-Malware Review

GridinSoft Anti-Malware

Removing computer viruses manually may take hours and may damage your PC in the process. I recommend you to download GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day trial available for threats removal.
EULA | Privacy Policy | GridinSoft

First time when the remote-access trojan was detected refers to January, 2013. Since that moment, there have been a lot of plunges and surges in NjRAT activity, but nowadays it shows new and new highs, serving as an omni-purpose malware, that can be used solely as well as in pair with ransomware, trojan-miner or other viruses.

Malware activity statistics in 2020 by uploads

Malware activity statistics in 2020. Data by ANY.RUN1

How can njRAT be injected into my system?

The methods of njRAT distribution are similar to the methods used by other trojan viruses.

To inject in your computer, a remote-access trojan uses .NET framework vulnerabilities. This framework is used by developers who use C#, Visual Basic and some other programming languages which require .NET presence for executing. Also, the programs that are created using the mentioned languages also require this framework to be installed.

The ways of distributing the initial executable files of njRAT are very close to ones used by other trojan viruses, but with its own corrections. Besides the “classic” email spamming, njRAT may be also distributed via Discord spam spreading. An increased number of remote-access trojan injections, compared to other currently active trojans, is related to keygens or software for cracking the other programs. The share of malvertising left the same low (about 10% of total cases), likely because people stopped believing in ads like “UPDATE YOUR FLASH PLAYER(Chrome, Internet Explorer, Opera, etc) NOW”.

njRAT impact on the infected system

Your system is in danger due to the very high amount of malevolent changes done by the remote-access trojan

It is hard to describe the changes done by any of remote-access trojans, because they are enormously complex and touch a wide range of system elements. It changes several registry entries, which allow it to be launched together with the system, and also increase the remote administration capabilities. Besides the registry modifications, njRAT also creates several copies of itself in different directories – %TEMP%, %APPDATA%, %USERPROFILE%,%ALLUSERSPROFILE% and/or %windir%; the peculiarity is in the naming: every such file is named differently to any of other files of trojan virus. This trojan can additionally add it to the RegSvcs.exe and RegAsm.exe processes, getting even more control of your registry. And the harm that may be caused by the malevolent interruptions into your registry is enormously high.

Anti-malware software is able to detect and prevent the launch of RAT, however, security tools are usually powerless for the newest variants of this malware. Its developers obfuscate the random parts of program code, so the detection of this virus becomes impossible until the signature for the new version is added to the database.

The danger of remote-access trojans

All personal data you have on your PC, as well as credentials for your online banking accounts and cryptocurrency wallets may easily be stolen.

As it was mentioned, njRAT is created as the complex virus, which has the functions of spyware, backdoor and keylogger. It is able to steal your credentials and confidential information, banking applications data and crypto wallets (the last is enormously actual last time). Keylogger functions are also targeted on your credentials, but this time even those logins/passwords which are not kept in any keychains are under attack, because this ability allows the virus to capture your keystrokes.

Because of deep access to the registry, which is usually obtained by njRAT after the infiltration, the defensive mechanisms of your system may be weakened to make possible the injection of other harmful viruses, such as coin-miners or ransomware. Such interruptions in the system elements sometimes can be fixed only with Windows reinstallation, that may lead to file losses.

References

  1. ANY.RUN annual report