The security community has reported that the NjRat Lime Edition Trojan has recently been updated with a new ransomware component. The fact that this hacking tool is popular among computer criminals both on the underground hacker markets and the communities means that it is likely that attacks are going to be launched with it very soon. The anticipated upcoming attack can take out whole networks on a global level. This is the reason why we are taking an in-depth look into the NjRat Lime Edition Trojan by analyzing all of its capabilities.
njRAT Lime Edition Trojan Overview: Why Does It Matter
The NjRat Lime Edition Trojan is a new malware that has recently been identified by the security community. What makes it unique among many others is the fact that even in its first releases it includes almost all of the modules contained in advanced threats. The programmers behind it have also posted the executable file for free on the underground sites. The latest version is 0.7.8 released just a few days ago.
We have been able to obtain a copy of the threat via the dangerous sources. Its interesting to note that it is being advertised as a malware remote hacking tool while at the same time bearing the notice “For educational use only”. The first public release version tracked by the community (11/9/2017) is known 0.7.6. This makes the latest update only a point release.
WARNING! We have obtained the executable files and the related documentation to prepare this article for education purposes only. We do not condone hacking and malware operations.
NjRAT Lime Edition Trojan Delivery Methods
Depending on the hacker tactics the NjRAT Lime Edition Trojan can be deployed using different tactics. One of the possible ways of making the infections is through a payload downloader. This can be achieved using the following methods:
- Email Messages — The malware operators can use bots to generate messages that facilitate templates aiming to blackmail the users downloading and running a certain infected file. It can be either an executable file, archive or document. Whatever the case once it is downloaded and executed the infection with the NjRAT Lime Edition Trojan is initiated. In the case of documents malware scripts can be inserted in virtually all of the widely used formats: databases, presentations, rich text documents and spreadsheets.
- Downloads — Infected instances can be placed on download portals and facilitated through pop-ups and web redirects.
- Browser Hijackers — Dangerous web browser plugins can be used to install malware such as this one. They are usually made for the most popular applications: Mozilla Firefox, Google Chrome, Safari, Microsoft Edge, Internet Explorer and Opera.
NjRAT Lime Edition Trojan Infection Phase: How It All Begins
Once the NjRAT Lime Edition Trojan has made its way onto the host computers one of the first actions it does is to check the system for any running debugging or security instances. Effectively the threat manages to install itself in a stealth manner by looking up the signatures of virtual machines (VirtualBox and VMWware), sandbox environments, process analysis utilities (Process Explorer), networking tools (Wireshark) and other system administration software (ApateDNS). If it is unable to delete or disable them then the virus may delete itself to avoid detection.
The security analysts have also uncovered that it might not launch immediately after the infection has been made. This “sleep” function is implemented n order to fool anti-virus engines which presume that a virus would start to manipulate the system upon first infection. The NjRAT Lime Edition Trojan has also been found to institute a persistent installation which effectively prevents manual user removal methods. It continuously monitors the users behavior and disables all actions that can interfere with its processes.
Other actions that are invoked in this first stage of the malware’s include system changes. They are deliberately made to prepare the system for follow-up malware actions. Examples include the following:
- The Addition of a Hidden Client — The NjRAT Lime Edition Trojan creates a hidden process which cannot be easily identified by the user or the system administrator. It has the ability to create new ones, hook up to existing applications and modify its privilege levels at will.
- Malware Stoper — The Trojan code can identify existing infections and take over control of them which means that the hackers can manipulate their settings or even temporarily disable the viruses.
- Plugin Addition — The hackers that obtain the code have the ability to further tweak it by adding custom plugins to the modular framework.
- Obfuscation — To prevent detection the infection engine and all associated files can copy themselves to a system location and obfuscate their names. It can also change its extension and icon.
NjRAT Lime Edition Trojan Capabilities
Once all basic infection actions have complete the NjRAT Lime Edition Trojan the malware continues further. The engine sets up a network client which allows the hackers to remotely control the infected hosts. Our security analysis shows that this even includes power options such as shutdown and restart. Through Internet commands the computers can be instructed to carry out DDOS (distributed denial of service) attacks against set targets. To facilitate optimal connectivity the operators can instruct the clients to temporarily sleep themselves or reconnect at certain intervals. The Trojan can also infect USB devices and other network devices.
A NO-IP dynamic DNS server can be optionally activated to allow the botnet to be administrated in a more efficient way. It is very possible for a criminal collective to rent out the created malware infrastructure to other hackers. On the other hand as the computer hosts are placed in total control of the Trojan code the malicious users can institute prank-like settings such as: mouse reversal, dabbling with the clipboard contents, modification of the taskbar, turning the monitor on and off and generate audio message via the operating system’s text to speech engine. Important operating system components can be disabled or even deleted (Task Manager and Event Viewer), as well as any log files removed.
By hijacking the system’s regional settings and the user configuration the criminals can get a sense of their location. In addition a public geographical databases is fed the IP address and all other relevant values to help locate the victims to a more precise location. When it comes to information harvesting there are two main categories that can be differentiated:
- Personally-identifiable Information — The gathered data can directly expose the identity of the user by harvesting information such as their real name, address, telephone, interests, preferences and etc.
- System Data — The NjRAT Lime Edition Trojan has the ability to extract a lot of sensitive information from the host computer, including available hardware components, installed software applications and etc.
Our analysis shows that another possible use case scenario is a torrent seeder. The hackers can take advantage of the available hard disk space and network connection to seed torrents which generates ratio (rating) for their accounts on linked torrent trackers. In many cases the content is illegal (pirate) materials.
The NjRAT Lime Edition Trojan’s Ransomware Engine Exposed
The latest version of the malware now includes a ransomware component. The hackers behind it have bundled deep customization options that are comparable to advanced strains of the most famous malware families. In a staged delivery the ransomware component can be launched after other malware actions have complete. This is especially true if the hackers want to download user data, it would need to be done before the encryption phase is engaged.
The ransomware itself may use a customized list of target file type extensions. Usually the hackers tend to include the most widely used data such as any found archives, backups, documents, images, music, videos, configuration files and etc. The modular framework allows the hackers to even include a white list and black list. The prohibition of certain folders is usually connected to system folders which can cause issues with the computers if their files are modified.
Once the ransomware process has finished a specialist extension can be appended to the victim files to easily identify them. Other methods that can be used to blackmail the users into paying the hacker operators can be the following:
- Wallpaper Change — The hackers can institute a wallpaper change that can display a portion of the ransomware note.
- Ransomware Note — Ransomware notes are usually made in text files or rich documents that use blackmail tactics that attempt to manipulate the victims into paying the hackers into paying a “decryption fee”.
- Lockscreen Instance — An application frame can be instituted on the victim’s computer which effectively blocks normal interaction until the threat has been completely removed.
Consequences of a NjRAT Lime Edition Trojan Infection
Having this is mind the overall capabilities of the NjRAT Lime Edition Trojan allow practically unlimited control of the host machines. If the criminal collective manages to infect a large enough number of infected hosts then a botnet can be created. The graphical user interface which is used by the operators allow them to easily launch the most widely used commands. The full list extracted from a live sample reads the following entries:
- Manager — Allows the hackers to receive an overview of the infected host.
- Run File — Runs a target file on the host computer.
- Remote Desktop — Launches the spying module which displays the users screen and their actions in real time.
- Microphone — Records the victim’s microphone and sends the audio files to the hacker operators.
- Malware Killer — Disables found malware via a signature scan.
- Keylogger — Hijacks keystrokes and mouse movement.
- Persistence — Sets up the NjRAT Lime Edition Trojan in a way which prevents manual user removal attempts.
- Open Chat — Allows the hackers to create messages to the victims which are displayed as app window pop-ups.
- Spread USB — Infects connected removable storage devices.
- PC — Retrieves files from the compromised computers.
- Client — Opens the Client preferences.
- Open Folder — Allow access to the infected host’s local drives.
Users can protect themselves by using a quality anti-spyware solution. We recommend that all users scan their systems as soon as possible.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter