NjRAT variant - tXRAT v.2.3R

Jane0sint · June 21, 2024, 8:10am

Hi, recently I discovered a modification of the famous rat NjRat, we could not detect it with the existing rules, so I propose several new ones (version obtained from traffic)

NjRat Traffic example

155.ll|‘|’|VEVTVF9DNEJBMzY0Nw==|‘|’|USER-PC|‘|’|admin|‘|’|24-06-20|‘|’||‘|’|Win 7 Professional SP1 x86|‘|’|No|‘|’|0.7d|‘|’|…|‘|’|UHJvZ3JhbSBNYW5hZ2VyAA==|‘|’|

tXRAT - Traffic example ( | - redacted separator replacement)

644.tXInfoClient|‘|’|Wy1BTk9OWU1PVVMtXQ==|‘|’|REVTS1RPUC1KR0xMSkxE|‘|’|YWRtaW4=|‘|’|24-06-19|‘|’||‘|’|V2luZG93cyAxMCBQcm8geDY0|‘|’|0J3QtdGC0YM=|‘|’|Windows Defender|‘|’|2.3R|‘|’|–|‘|’|–|‘|’|216.24.216.80|‘|’|DE|‘|’|R2VybWFueQ==|‘|’|18F7786F96EE|‘|’|XDFtzjhycufr737463|‘|’|

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] NjRat (tXRAT v.2.3R) Client Sends State Active Window";flow: established, to_server; 
content: "tXActiveWindow|7c|"; depth: 20;
pcre:"/^\d{2,3}\x00/";
classtype:command-and-control;  
reference:md5,917d3bcc7cbe4668fa22b8bc2f0a4092;  
reference:url,community.emergingthreats.net/t/njrat-variant-txrat-v-2-3r; 
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, id 5456483, malware_family njrat, tag RAT, created_at 2024_06_20; sid: 1; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] NjRat (tXRAT v.2.3R) Server Sends Plugin to Client";flow: established, to_client; 
content: "XSendPlugin|7c|"; offset: 3; depth: 20;
pcre:"/^\d{2,5}\x00/";
classtype:command-and-control; 
reference:md5,917d3bcc7cbe4668fa22b8bc2f0a4092;  
reference:url,community.emergingthreats.net/t/njrat-variant-txrat-v-2-3r; 
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family njrat, tag RAT, created_at 2024_06_20; sid: 2; rev: 1;)

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] NjRat (tXRAT v.2.3R) Client Sends Check-in Packet";flow: established, to_server; 
content: "tXInfoClient|7c|"; offset: 3; depth: 20;
pcre:"/^\d{2,4}\x00/";byte_jump:0,0,string,dec;
isdataat: !2, relative;
classtype:command-and-control;  
reference:md5,917d3bcc7cbe4668fa22b8bc2f0a4092;  
reference:url,community.emergingthreats.net/t/njrat-variant-txrat-v-2-3r; 
metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major,  malware_family njrat, tag RAT, created_at 2024_06_20; sid: 3; rev: 1;)

Best regards, Jane.

ishaughnessy · June 21, 2024, 4:44pm

Hey @Jane0sint, I’ll get these in today’s release!

Isaac

Topic		Replies	Views
Rule failed Feedback & Support	3	81	July 25, 2024
DynamicRAT Rule Signatures	2	549	June 10, 2023
DCRat Sig Submission Rule Signatures	2	441	January 12, 2023
DarkCrystal RAT Rule Signatures	13	897	January 2, 2024
More DCRat Sig Submissions Rule Signatures	2	185	January 20, 2023

NjRAT variant - tXRAT v.2.3R

Related topics