NjRat campaign coming from Saudi Arabia is using old FakeAv tactics

Security experts discovered a new njRat campaign using old tactics, making use of compromised websites as a third layer, communication proxy.

A recent post published on http://blog.0x3a.com/ it was described a new njRat campaign using old tactics, making use of compromised websites as a third layer, communication proxy.

Using FakeAV tactics was in vogue some years ago, but it seems that not all of them disappeared, and the last post on http://blog.0x3a.com proves exactly that. The infection can arrive from almost any “corner” of the web, like SPAM emails, Chat messages, SMS, etc. etc., but in the case of this post, it wasn’t given any news about the received method.

When visiting the compromised and indicated website the user is greeted with a pop-up alert:

As a typical FakeAV after a pop up like the one above the browser will show like a Windows XP alike My computer and will say that the PC is full of virus

And when clicking any of the buttons of the page software called “Antivirus2015.exe” will be downloaded:

When running the fake antivirus so-called “Antivirus2015.exe” a pop-up will appear with fragmented English (what is strange for an AV brand…) saying “Your Computer not found of virus”

One of the persistent methods of this FakeAV it’s that he adds itself in the startup, to be able run ever time you turn on the PC, via MSConfig it can be seen a new entry:

Investigating further, the author went to check the code and found out that the “main” function does:

  • Display the popup with the message
  • Make sure the application (and its icon) isn’t shown in the taskbar
  • Decode a string of text (under Label_004D) which contains a link to a pastebin post
  • Download whatever is at this pastebin link
  • Use the content of the pastebin post as another URL and download data from it
  • The data obtained from the link inside the pastebin post are written to ’%temp%/notepad.exe’
  • Execute the ’%temp%/notepad.exe’ payload

The origin of this FakeAV comes from Saudi Arabia, exactly from the IP 188.55.84.43:

As a concluding note, let me say that the old methods of 2005 can be called the new methods of 2015. because random users can forget old threats, or because it was from 10 years ago, or because they never face it before, but keep in mind that old methods are coming back to life, like the case of Excel/Word macros.

You can check the full post by checking the blog here: http://blog.0x3a.com/post/120423677154/unusual-njrat-campaign-originating-from-saudi

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

[adrotate banner=”9″]

Edited by Pierluigi Paganini

(Security Affairs – njRat,  cybercrime)

[adrotate banner=”12″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 mins ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

7 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

18 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

22 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.