In this blog post, we review a recent phishing campaign that leverages Discord CDN* to host malicious files and lure unsuspecting users into becoming victims of the njRAT malware.
*A CDN, or content delivery network, is a set of geographically disparate servers used to speed up processing of heavy attachments or webpages.
njRAT is a malware classified as a Remote Access Trojan. This means that it is usually used by threat actors looking to control infected PCs remotely or spy on the users by capturing keystrokes, watching users on their webcam, or even listening to a user’s microphone.
Like most attacks these days, this campaign starts with a payload delivered via email, the number one attack vector for cyber attacks.
The user receives an urgent email alerting them of a tax seizure in their name. At the end of the message there is a URL with an embedded link. The user is meant to click on this link to learn more about the “tax seizure.”
There are some warning signs within the email itself, like how the domain of the sender is not associated in any way with the URL presented in the mail. Furthermore, “TAX SEIZURE ORDER” is written in caps lock in order to apply pressure on the user as part of social engineering technique.
Figure 1: The Phishing mail
Translation:
Bogota September 05, 2022 Let us notify you of the TAX SEIZURE ORDER established against you for failure to comply with your tax obligations. Then we ask you to consult the following web page where you will find the details of the embargo process.
The components of the attack span multiple stages. The below image shows the steps involved in the attack:
Figure 2: The njRAT Execution Process
Stage 1: Once the user clicks on the URL, a PDF file automatically downloads from Discord CDN.
Stage 2: After opening the PDF, the user is prompted to click on another URL, a password protected archive downloaded automatically from Discord CDN.
Stage 3: Inside of the archive the user will find a VBS script that, once executed, downloads two files: one from discord CDN (which is the njRAT binary) and a DLL from a remote site.
Stage 4: The DLL will download and invoke an additional DLL.
Stage 5: The invoked DLL will download and inject the njRAT binary to Caspol.exe (a legitimate Microsoft .NET executable).
Stage 6: The njRAT that runs under Caspol.exe will be unleashed and it will connect to a remote C2 server.
In the rest of this post, we review two main parts of this attack: 1) what happens after the user clicks on the email’s link and 2) what the njRAT malware is capable of.
As mentioned above, we first review what happens moments after the user clicks on the URL presented in the email. First off, the URL contains an embedded link which is actually a redirection link to a Discord CDN download URL.
According to Discord Inc., when someone sends an attachment in the Discord app, it is stored in https://cdn.discordapp.com/attachments/. Regardless of whether or not the attachment is deleted, it will be stored forever on Discord’s server. This means that as long as you have the attachment’s full URL, you can access it and download it from anywhere.
Hackers find this method useful, as they upload the malicious attachment that they want and simply save the link to the attachment and embed it where it suits them. By doing this, the hackers don’t need to create a server, host the files they want on it, and make sure AVs don’t flag their server as malicious. Discord makes it easy.
Figure 3: PDF download from Discord CDN
Once the user clicks on the embedded link, a PDF file begins to download. When the user opens the PDF, they will see a stolen template from a Colombian governmental institution that discusses tax-related topics. The text explains to the user that to view the status of their declaration of income and taxes, they must click on the URL presented within the PDF. In addition, the document states that due to security concerns, the user must enter the password (“2022”) to view the files.
Figure 4: The Phishing PDF
Translation:
BOGOTÁ DC SEPTEMBER 05, 2022 DIRECTORATE OF NATIONAL TAXES AND CUSTOMS MR(S) TAXPAYER Best regard Through this communication we inform you that due to your lack of commitment in the Financial Obligations derived from the MANAGEMENT OF NATIONAL TAXES AND CUSTOMS; the collection department LEGAL, as established by law 0201 of the year 2006 number 12, we notify you that to your knowledge an ORDER has been established against you IMMEDIATE TAX GARNISHMENT AND EXECUTIVE LAWSUIT SINGULAR MINIMUM AMOUNT, for the balance owed of $5,180,050 M/CTE corresponding to the taxes derived from your Income Tax Return with 22 days past due. Therefore, we invite you to consult here the status of the process of your Declaration of income and taxes owed: https://www.dian.gov.co/procesoaunerodeembargodetails For security reasons please Enter the Password: 2022 Cordially.
Once the user clicks on the URL in the PDF, a password protected archive downloads. This archive is also hosted in Discord CDN, however it is only accessible to those who have the full URL to the attachment.
Figure 5: Archive Download from Discord CDN
The archive contains a VBS script. This archive downloads and invokes a DLL file with the njRAT binary:
Figure 6: Archive content
The VBScript is obfuscated by several layers: it contains “emoji” symbols to evade static AVs by adding “clean bytes”, strings substitution, and variable concatenation:
Figure 7: Obfuscated VBScript
Using CyberChef, I played around and solved the obfuscation puzzle by swapping variables with their intended value and concatenating strings:
Figure 8: Deobfuscating the malicious command using CyberChef
After deobfuscating, I found a mini powershell script:
The script downloads a DLL from a remote site (wtools[.]io), converts it from base64, and loads it.
The script also invokes a specific method located in the DLL called ‘UDsSiDbb’. This method of the script passes three arguments:
The invoked DLL will create a persistence file on the user’s computer, download the njRAT binary, reverse it, and decode it from base64. It will also download an additional DLL that injects the njRAT binary to a legitimate Microsoft .NET executable:
Figure 9: ‘UDsSiDbb’ method invoked by the powershell script
The DLL receives 3 arguments (as mentioned above):
The first thing that occurs in the DLL is the creation of a persistence on the user’s computer, the DLL tries to copy the VBScript to the startup folder ( everything in this folder will be executed once the computer is booted up) and rename it to 05SEPT.vbs (highlighted in red).
The second thing the DLL will do is to download additional DLL from a remote site (archive[.]org), reverse it, and replace a string of “ツツツ” with the letter “A” (highlighted in orange).
After that the DLL will download the njRAT binary and reverse it (highlighted in yellow). The DLL will then create a string variable that points to the .NET framework default path (highlighted in green).
Finally, the DLL will load the additional DLL (decoded from base64), invoke the method “QHYmTKe” (the process hollowing function), and pass two arguments:
The invoked DLL hollows out the Caspol.exe process and injects it into the njRAT malware. The njRAT malware is then unleashed.
Figure 10: njRAT Injector
Now, let’s review what happens when the njRAT malware is being executed.
By investigating the njRAT binary statically you can see that it’s a .NET based malware and can be decompiled using DnSpy:
Figure 11: njRAT static analysis
I opened up the binary in DnSpy and went to its entry point. From there, I saw that the first thing the malware does is create a mutex for the program. It saves the creation response to a Boolean variable (True/False), so if the creation of the mutex fails, the malware knows that it’s already being run and will terminate itself:
Figure 12: Mutex Creation
Next, the malware will start a thread, pointing to a method called “Receive”. This method connects to the C2 server, receiving commands from it and passing it to a parser function.
Figure 13: Receive method Thread creation
The Receive method first calls another internal method called “Connect” (as seen in the above picture). The Connect method retrieves the C2 server connection information (IP/domain and port) from local variables present in the code:
Figure 14: C2 connection function
As you can see above, after the connection is made, the malware sends the C2 the data it receives from another internal method called “GetInfo”. The GetInfo method harvests some basic information off of the user’s computer:
The data then will be passed over to the C2 server in the next structure:
Figure 15: Data being passed to C2
As you can see in the structure, there is a prefix added before sending the information to the C2 server. In this case the prefix is “ll” which tells the C2 that there is a newly infected machine. It can then register all the transferred data under the profile of this infected machine.
After the initial information is sent to the C2, and the server knows that there is a new, infected machine, the client will send additional information to the C2, including the botnet name, the C2 configurations, where is the binary located on the machine and the name of the binary:
Figure 16: Additional data that passed to the C2
All of the collected data is saved as one string variable and encoded into base64. Then it is sent to the C2 together with the prefix “inf” and a splitter:
Figure 17: encoded inf data + decoded information
The client waits for instructions to come from the C2.
Now, I’ll cover some of the additional prefixes that the client may receive and what each of them does:
Figure 18: Keylogger prefix call
Figure 19:prof prefix call
Figure 20: rn prefix call
Figure 21: CAP prefix call
Figure 22: un prefix call
Figure 23: up prefix call
Figure 24: PLG prefix call
Figure 25: Ex prefix call
The njRAT contains several more prefixes in different variations but the sample only contains the methods mentioned above.
This njRAT malware campaign is very sophisticated. To avoid becoming the victim of this type of attack, we recommend the following steps to mitigate your risk: