njRAT/Bladabindi Zeek Detector Update – Zeek Roulette #1 Part 2

This is an update to:

Detecting njRAT/Bladabindi Malware With Zeek – Zeek Roulette #1

I have been running this detector on a live network for a while and I’ve seen 2 (rare) categories of false positives we can easily eliminate by improving on the code just a little bit.

The first false positive occurs when the message length is zero. We can eliminate this false positive by adding a requirement in our Spicy code on the njRATMessage unit:

public type njRATMessage = unit {
    len: /[0-9]+/ &convert=bytes2uint($$);
    : /\x00/;
    payload: bytes &size=self.len;
} &requires=(self.len > 0);

The second false positive occurs when there is traffic that looks like njRAT, but doesn’t use a valid, known, njRAT commands. I did some research here:

• https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/
• https://hidocohen.medium.com/njrat-malware-analysis-198188d6339a

I found that the sources above say we should expect the following commands from njRAT:

• ll
• proc
• rss
• rs
• rsc
• kl
• inf
• prof
• rn
• inv
• ret
• CAP
• P
• un
• up
• RG
• nwpr
• site
• fun
• IEhome
• shutdowncomputer
• restartcomputer
• logoff
• ErrorMsg
• peech
• BepX
• piano
• OpenCD
• CloseCD
• EnableKM
• DisableKM
• TurnOnMonitor
• TurnOffMonitor
• NormalMouse
• ReverseMouse
• EnableCMD
• DisableCMD
• EnableRegistry
• DisableRegistry
• EnableRestore
• DisableRestore
• CursorShow
• CursorHide
• sendmusicplay
• OpenSite
• dos
• udp
• udpstp
• pingstop
• pas

So now all we need to do is put this list of valid commands into our DPD signature to cut down on false positives:

signature dpd_njrat {
    ip-proto == tcp
    payload /^[0-9]+\x00(ll|proc|rss|rs|rsc|kl|inf|prof|rn|inv|ret|CAP|P|un|up|RG|nwpr|site|fun|IEhome|shutdowncomputer|restartcomputer|logoff|ErrorMsg|peech|BepX|piano|OpenCD|CloseCD|EnableKM|DisableKM|TurnOnMonitor|TurnOffMonitor|NormalMouse|ReverseMouse|EnableCMD|DisableCMD|EnableRegistry|DisableRegistry|EnableRestore|DisableRestore|CursorShow|CursorHide|sendmusicplay|OpenSite|dos|udp|udpstp|pingstop|pas)\|/
    enable "spicy_NJRAT"
}