This is an update to:
Detecting njRAT/Bladabindi Malware With Zeek – Zeek Roulette #1
I have been running this detector on a live network for a while and I’ve seen 2 (rare) categories of false positives we can easily eliminate by improving on the code just a little bit.
The first false positive occurs when the message length is zero. We can eliminate this false positive by adding a requirement in our Spicy code on the njRATMessage unit:
public type njRATMessage = unit {
    len: /[0-9]+/ &convert=bytes2uint($$);
    : /\x00/;
    payload: bytes &size=self.len;
} &requires=(self.len > 0);The second false positive occurs when there is traffic that looks like njRAT, but doesn’t use a valid, known, njRAT commands. I did some research here:
- https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/
- https://hidocohen.medium.com/njrat-malware-analysis-198188d6339a
I found that the sources above say we should expect the following commands from njRAT:
- ll
- proc
- rss
- rs
- rsc
- kl
- inf
- prof
- rn
- inv
- ret
- CAP
- P
- un
- up
- RG
- nwpr
- site
- fun
- IEhome
- shutdowncomputer
- restartcomputer
- logoff
- ErrorMsg
- peech
- BepX
- piano
- OpenCD
- CloseCD
- EnableKM
- DisableKM
- TurnOnMonitor
- TurnOffMonitor
- NormalMouse
- ReverseMouse
- EnableCMD
- DisableCMD
- EnableRegistry
- DisableRegistry
- EnableRestore
- DisableRestore
- CursorShow
- CursorHide
- sendmusicplay
- OpenSite
- dos
- udp
- udpstp
- pingstop
- pas
So now all we need to do is put this list of valid commands into our DPD signature to cut down on false positives:
signature dpd_njrat {
    ip-proto == tcp
    payload /^[0-9]+\x00(ll|proc|rss|rs|rsc|kl|inf|prof|rn|inv|ret|CAP|P|un|up|RG|nwpr|site|fun|IEhome|shutdowncomputer|restartcomputer|logoff|ErrorMsg|peech|BepX|piano|OpenCD|CloseCD|EnableKM|DisableKM|TurnOnMonitor|TurnOffMonitor|NormalMouse|ReverseMouse|EnableCMD|DisableCMD|EnableRegistry|DisableRegistry|EnableRestore|DisableRestore|CursorShow|CursorHide|sendmusicplay|OpenSite|dos|udp|udpstp|pingstop|pas)\|/
    enable "spicy_NJRAT"
}
Leave a Reply