Our ‘BlackBerry Cylance Versus’ series takes an in-depth look at malware from A to Z, from past to present. Our goal is to reveal how and why threats that may have been active for years still work, and what we, as a security community, can do to combat them.
Njw0rm is a remote access trojan (RAT) with worm capabilities. It targets credentials stored by Google Chrome, Filezilla, and VitalWerks, the parent company of No-IP. It checks for removable devices, and if found, infects them. Njw0rm alters the attributes of other local files on the removable drive to trick users into infecting any system accessing the drive.
Njw0rm has a builder which allows threat actors to set the communication port for the command and control (C2) server, using 1888 as the default. The builder also includes customization options for naming the worm and choosing which directory it copies itself to when executed (Figure 1):
Figure 1: Njw0rm Builder GUI
- UPX: Offers the option to UPX Pack the AutoIT compiled executable
- MELT: Offers the option to have the malware file delete itself after dropping into the specified directory
- Obfuscate: Offers the option to obfuscate the embedded AutoIT script
As soon as the worm executes on a target machine it establishes a connection to its C2 server. This connection is used to transfer information about the target machine to the C2 server:
Figure 2: Njw0rm establishing connection to C2 (example)
The information is formatted and displayed to threat actors in a table. Attackers can see the computer name, user names, OS version, worm version, the active window, and USB devices available to the machine:
Figure 3: View of infected machine from attacker’s point of view
Threat actors can also interact with the victim machine in multiple ways (Figure 4):
Figure 4: Njworm options available to attacker
- Run file: Run a file (attacker can specify which user)
- Autoit Script: Copy and paste an AutoIt script for execution
- CMD.EXE: Perform actions using the command line
- Update: Update the worm (by providing an update URL)
- Uninstall: Uninstall malware from the victim machine
- Builder: Launch the Njw0rm malware builder
- About: Provides worm version info as well as a link to the author’s Twitter page. The Twitter account was created in 2013 and contains a single tweet - the phrase “good morning”, written in Arabic:
Figure 5: Version info of the builder
Get Passwords: This option displays a tabular view of all the usernames, passwords, and the related websites that have been scraped from the victim machine.
When Njw0rm is first executed on a machine it creates an .ini file. The file contains the value “Y” or “N” depending on whether a removable device is connected to the machine. Njw0rm then creates a copy of itself in the %TEMP% directory.
Njw0rm creates a mutex based on the filename and file path supplied to the builder. In the example below (Figures 6 and 7), the mutex was created using “tempMicrosoft.exe”:
Figure 6: Creation of Microsoft.exe.ini
Figure 7: Creation of Microsoft.exe
The worm achieves persistence by adding itself to registry keys and startup locations to ensure it is executed after every reboot of the victim machine (Figure 8):
Figure 8: Njw0rm achieving persistence
The malware also adds itself as an allowed program to the Windows firewall by using netsh.exe. The ShellExecute commands seen in Figure 9 translates to: “firewall add allowedprogram “C:\Users\%USER%\AppData\Local\Temp\Microsoft.exe” “Microsoft.exe” ENABLE”, and effectively bypasses the firewall:
Njw0rm resolves an IP address by contacting sss6e6xxx[dot]myvnc[dot]com, then uses this IP to connect back to the C2 server (Figure 10):
Figure 10: Resolving IP address of DNS
The malware is written in the AutoIt Scripting language. The script has three different functions related to stealing credentials from Filezilla, Google Chrome, and No-IP accounts. No-IP is a dynamic DNS provider.
The No-IP function checks the registry key HKLM\SOFTWARE\Vitalwerks\DUC for the presence of usernames and passwords used for No-IPs dynamic DNS server. If found, the credentials and passwords are sent back to the C2 server:
Figure 11: No-IP credential stealing
The Filezilla function checks for the presence of login credentials and server information in “\Filezilla\recentservers.xml". If found, the credentials and passwords are sent back to the C2 server:
Figure 12: Filezilla credential stealing
The Chrome function looks for user login data associated with specific URLs. If found, Njw0rm calls a function to decrypt passwords saved by Chrome before sending the information back to the C2 server.
Figure 13: Google Chrome credential stealing
Njw0rm's propagation method relies entirely on removable devices. It continuously searches for connected removable drives using the usb() function within the AutoIt script (Figure 14):
Figure 14: Constant loop
Once a removable device is detected the worm will set the attributes of ten existing files on the device to hidden. Next, it creates a .lnk file for each folder it hides. It also creates the folder “My Pictures”, if one does not exist on the drive:
Figure 15: Njw0rm checking for removable drives
Figure 16: USB drive after infection
The Njw0rm-created .lnk files are configured to execute a copy of the worm before opening the corresponding hidden folder (Figure 17). This approach helps the worm evade detection:
Figure 17: .lnk file properties
BlackBerry® Cylance® Stops Njw0rm
In testing, CylancePROTECT® detects and blocks Njw0rm with a predictive advantage score in excess of three years. The cloud-trained AI security agents created by BlackBerry Cylance have been able to detect and prevent Njw0rm and its modern variants since the October 29th, 2015.
Indicators of Compromise (IOCs)*
DNS Query to: sss6e6xxx[dot]myvnc[dot]com
Communications over port 4040
*Note: Due to the ease of access to the builder, Njw0rm samples can vary, the vast majority of samples will have different IOCs.
| Builder: 37C246AF3B9980DD069BA971E6FDAA49FF264A256DCF44377D0979B816813319 |
Win 32 PE