{"id":830,"date":"2023-04-20T08:26:54","date_gmt":"2023-04-20T12:26:54","guid":{"rendered":"https:\/\/drkeithjones.com\/?p=830"},"modified":"2023-11-01T09:29:52","modified_gmt":"2023-11-01T13:29:52","slug":"detecting-njrat-bladabindi-malware-with-zeek-zeek-roulette-1","status":"publish","type":"post","link":"https:\/\/drkeithjones.com\/index.php\/2023\/04\/20\/detecting-njrat-bladabindi-malware-with-zeek-zeek-roulette-1\/","title":{"rendered":"Detecting njRAT\/Bladabindi Malware With Zeek &#8211; Zeek Roulette #1"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"An #njRAT C2 Detector - #Zeek Roulette #1\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/vD10f8-v2d0?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Welcome to the first edition of Zeek Roulette, where I pick a random Zeek topic and try to solve it!  <\/p>\n\n\n\n<p>For this article I picked njRAT malware from Any.Run and tried to write a detector for it.  There is a copy of the njRAT malware, PCAP, and its analysis available here:<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/72f74893-b9dc-4b1d-9d55-39e0eae86bda\/#\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/app.any.run\/tasks\/72f74893-b9dc-4b1d-9d55-39e0eae86bda\/#<\/a><\/p>\n\n\n\n<p>If you download the PCAP file and run it through <a href=\"https:\/\/zeek.org\" target=\"_blank\" rel=\"noopener\" title=\"\">Zeek<\/a>, you will see the following line in conn.log:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1681921215.277831\tCF6WFfOHjuxFz6wtc\t192.168.100.204\t49228\t3.68.56.232\t15145\ttcp\t-\t41.031513\t1268\t10585\tS1\t-\t-\t0\tShADaTdt\t12\t1999\t10\t5280\t-<\/code><\/pre>\n\n\n\n<p>This is where the malware&#8217;s C2 happens.  <\/p>\n\n\n\n<p>First, we need to understand njRAT&#8217;s C2 protocol.  After a little Googling I found this article and Suricata rule set:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>njRAT<\/p>\n\n\n\n<p>Discovered almost a decade ago, njRAT, also known as Bladabindi, is the most active and prevalent remote access trojan. It allows attackers to do surveillance and control the victim\u2019s computer. Its features include remote desktop, logging keystrokes, stealing credentials, capturing microphone and webcam, and many more. njRAT is mostly found to be delivered via phishing email campaigns containing malicious Word document attachments. It is also found to be delivered by masquerading as a legitimate application installer uploaded to file-sharing services and luring victims via drive-by download campaigns.<\/p>\n\n\n\n<p>Since the leak of source code 2013, njRAT has become widely adopted by cybercriminals and APT actors including Gorgon Group and APT41. Numerous variants have been detected over the years. Some variants have been found to be communicating over standard HTTP protocol and others were found to be communicating over custom protocols over TCP. The packet begins with data length in a decimal format null-terminated string followed by command and then delimiter followed by exfiltrated data.<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:\u201dZscaler Win32.Backdoor.NjRat \u2013 Data Exfil activity\u201d; flow:to_server,established; content:\u201d|00|inf\u201d; offset:3; depth:4; pcre:\u201d\/\\d{1,3}\\x00\\w{1,3}\/\u201d; pcre:\u201d\/(?:[A-Za-z0-9+\\\/]{4})*(?:[A-Za-z0-9+\\\/]{2}==|[A-Za-z0-9+\\\/]{3}=)?\/\u201d; flowbits:isset,ZS.njrat; flowbits:unset,ZS.njrat; classtype:trojan-activity; reference:url,https:\/\/research.zscaler.com;)<\/p>\n\n\n\n<p>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:\u201dZscaler Win32.Backdoor.NjRat \u2013 Data Exfil activity\u201d; flow:to_server,established; content:\u201d|00|ll\u201d; offset:3; depth:3; pcre:\u201d\/^\\d{1,3}\\x00\/\u201d; pcre:\u201d\/(?:[A-Za-z0-9+\\\/]{4})*(?:[A-Za-z0-9+\\\/]{2}==|[A-Za-z0-9+\\\/]{3}=)?\/\u201d; flowbits:set,ZS.njrat; flowbits:noalert; classtype:trojan-activity; reference:url,https:\/\/research.zscaler.com;)<\/p>\n<cite><a href=\"https:\/\/securityboulevard.com\/2021\/05\/catching-rats-over-custom-protocols\/\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/securityboulevard.com\/2021\/05\/catching-rats-over-custom-protocols\/<\/a><\/cite><\/blockquote>\n\n\n\n<p>We can use the general information from the article quoted above to write Zeek detection logic too.  <\/p>\n\n\n\n<p>First, we know that each message fits a known format of message length (in ASCII, only counting characters coming after the NULL), a NULL character, a command (in ASCII), and then a delimiter.  After the delimiter comes the remaining data, also delimited.  <\/p>\n\n\n\n<p>In the PCAP for this malware sample, the first message example is (&lt;NULL&gt; is literally 0x00 in this case):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>156&lt;NULL&gt;ll|'|'|SGFjS2VkX0M0QkEzNjQ3|'|'|USER-PC|'|'|admin|'|'|23-04-19|'|'||'|'|Win 7 Professional SP1 x86|'|'|No|'|'|im523|'|'|..|'|'|UHJvZ3JhbSBNYW5hZ2VyAA==|'|'|152.inf|'|'|SGFjS2VkDQo3LnRjcC5ldS5uZ3Jvay5pbzoxNTE0NQ0KQWxsVXNlcnNQcm9maWxlDQpTeXN0ZW0uZXhlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVl32.act|'|'|UHJvZ3JhbSBNYW5hZ2VyAA==<\/code><\/pre>\n\n\n\n<p>Here, the delimiter is:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>|'|'|<\/code><\/pre>\n\n\n\n<p>This delimiter can change, so we will design our detector to be delimiter indifferent!<\/p>\n\n\n\n<p>We can write a Spicy protocol analyzer to detect this type of C2.  First, we use the following dynamic protocol detection (DPD) signature to trigger our Spicy njRAT C2 protocol analyzer with the message format specified above:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>signature dpd_njrat {\n    ip-proto == tcp\n    payload \/^&#91;0-9]+\\x00&#91;a-zA-Z]+\\|\/\n    enable \"spicy_NJRAT\"\n}<\/code><\/pre>\n\n\n\n<p>The Spicy code for this analyzer is pretty simple and follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>module NJRAT;\n\nfunction bytes2uint(input: bytes) : uint64 {\n    local exp: uint64 = |input|;\n    local sum: uint64 = 0;\n    local val: uint64;\n    local shift: uint64;\n\n    for (c in input)\n        {\n        exp--;\n        val = c-48;\n        shift = 10**exp;\n        sum = sum + ( val * shift );\n        }\n    return sum;\n}\n\npublic type njRATMessages = unit {\n    messages: njRATMessage&#91;];\n};\n\npublic type njRATMessage = unit {\n    len: \/&#91;0-9]+\/ &amp;convert=bytes2uint($$);\n    : \/\\x00\/;\n    payload: bytes &amp;size=self.len;\n};<\/code><\/pre>\n\n\n\n<p>Any time a njRATMessage is parsed, the Spicy EVT file specifies that the following event fires:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>event NJRAT::message(c: connection, is_orig: bool, payload: string)<\/code><\/pre>\n\n\n\n<p>This event is handled in main.zeek to create an njrat.log entry where each line represents a command.<\/p>\n\n\n\n<p>After installing this package, the connection log will now look like the following (note the service of spicy_njrat!):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1681921215.277831\tCqlVyW1YwZ15RhTBc4\t192.168.100.204\t49228\t3.68.56.232\t15145\ttcp\tspicy_njrat\t40.956665\t1268\t10585\tS1\t-\t-\t0\tShADaTdt\t10\t1895\t8\t2788\t-<\/code><\/pre>\n\n\n\n<p>And the njrat.log will look like the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#separator \\x09\n#set_separator\t,\n#empty_field\t(empty)\n#unset_field\t-\n#path\tnjrat\n#open\t2023-04-20-12-16-33\n#fields\tts\tuid\tid.orig_h\tid.orig_p\tid.resp_h\tid.resp_p\tis_orig\tpayload\n#types\ttime\tstring\taddr\tport\taddr\tport\tbool\tstring\n1681921215.595297\tCqlVyW1YwZ15RhTBc4\t192.168.100.204\t49228\t3.68.56.232\t15145\tT\tll|'|'|SGFjS2VkX0M0QkEzNjQ3|'|'|USER-PC|'|'|admin|'|'|23-04-19|'|'||'|'|Win 7 Professional SP1 x86|'|'|No|'|'|im523|'|'|..|'|'|UHJvZ3JhbSBNYW5hZ2VyAA==|'|'|\n1681921215.674016\tCqlVyW1YwZ15RhTBc4\t192.168.100.204\t49228\t3.68.56.232\t15145\tT\tinf|'|'|SGFjS2VkDQo3LnRjcC5ldS5uZ3Jvay5pbzoxNTE0NQ0KQWxsVXNlcnNQcm9maWxlDQpTeXN0ZW0uZXhlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVlDQpUcnVl\n1681921221.103591\tCqlVyW1YwZ15RhTBc4\t192.168.100.204\t49228\t3.68.56.232\t15145\tT\tact|'|'|UHJvZ3JhbSBNYW5hZ2VyAA==\n1681921256.102097\tCqlVyW1YwZ15RhTBc4\t192.168.100.204\t49228\t3.68.56.232\t15145\tF\tCAP|'|'|35|'|'|23\n1681921256.170255\tCqlVyW1YwZ15RhTBc4\t192.168.100.204\t49228\t3.68.56.232\t15145\tT\tCAP|'|'|\\xff\\xd8\\xff\\xe0\\x00\\x10JFIF\\x00\\x01\\x01\\x01\\x00`\\x00`\\x00\\x00\\xff\\xdb\\x00C\\x00\\x08\\x06\\x06\\x07\\x06\\x05\\x08\\x07\\x07\\x07\\x09\\x09\\x08\\x0a\\x0c\\x14\\x0d\\x0c\\x0b\\x0b\\x0c\\x19\\x12\\x13\\x0f\\x14\\x1d\\x1a\\x1f\\x1e\\x1d\\x1a\\x1c\\x1c $.' \",#\\x1c\\x1c(7),01444\\x1f'9=82&lt;.342\\xff\\xdb\\x00C\\x01\\x09\\x09\\x09\\x0c\\x0b\\x0c\\x18\\x0d\\x0d\\x182!\\x1c!22222222222222222222222222222222222222222222222222\\xff\\xc0\\x00\\x11\\x08\\x00\\x17\\x00#\\x03\\x01\"\\x00\\x02\\x11\\x01\\x03\\x11\\x01\\xff\\xc4\\x00\\x1f\\x00\\x00\\x01\\x05\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\xff\\xc4\\x00\\xb5\\x10\\x00\\x02\\x01\\x03\\x03\\x02\\x04\\x03\\x05\\x05\\x04\\x04\\x00\\x00\\x01}\\x01\\x02\\x03\\x00\\x04\\x11\\x05\\x12!1A\\x06\\x13Qa\\x07\"q\\x142\\x81\\x91\\xa1\\x08#B\\xb1\\xc1\\x15R\\xd1\\xf0$3br\\x82\\x09\\x0a\\x16\\x17\\x18\\x19\\x1a%&amp;'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xe1\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xf1\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xff\\xc4\\x00\\x1f\\x01\\x00\\x03\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\xff\\xc4\\x00\\xb5\\x11\\x00\\x02\\x01\\x02\\x04\\x04\\x03\\x04\\x07\\x05\\x04\\x04\\x00\\x01\\x02w\\x00\\x01\\x02\\x03\\x11\\x04\\x05!1\\x06\\x12AQ\\x07aq\\x13\"2\\x81\\x08\\x14B\\x91\\xa1\\xb1\\xc1\\x09#3R\\xf0\\x15br\\xd1\\x0a\\x16$4\\xe1%\\xf1\\x17\\x18\\x19\\x1a&amp;'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\\xaa\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\\xb9\\xba\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\\xc8\\xc9\\xca\\xd2\\xd3\\xd4\\xd5\\xd6\\xd7\\xd8\\xd9\\xda\\xe2\\xe3\\xe4\\xe5\\xe6\\xe7\\xe8\\xe9\\xea\\xf2\\xf3\\xf4\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xff\\xda\\x00\\x0c\\x03\\x01\\x00\\x02\\x11\\x03\\x11\\x00?\\x00\\xe6\\xff\\x00\\xb2\\xa6\\x92(\\x8b\\x82T\\x96\\x00\\x95\\xc7Lf\\xae&amp;\\x84\\xdb3\\xb0\\xfeU\\xd9hZ\\x02\\xdc\\x04|\\x82=3\\x9cV\\xbe\\xa5j\\x96\\x0d\\x06\\xd8\\xf7\\x01\"\\xee\\xda\\xbb\\xb0;\\x9c}\\x05}\\\\\\xb1&lt;\\xab\\x92:\\xc8\\xf8\\xceyN\\xa3\\x93\\xd27\\xe9\\xfa\\x1eYu\\xa5\\x98\\xf2\\x0a\\xe0\\xd6\\x1d\\xcd\\xb1BH\\x15\\xec\\xde2&#91;W\\xd2\\xed\\xe6\\x8d 2\\xce\\xc5\\xfc\\xc5\\xe1\\xca\\xf6\\x0c1\\xc7\\x18\\xaf\/\\xbe\\x88s\\xc5V\\x06\\xb3\\xc5\\xd0\\xf6\\x8d%\\xabZ;\\xad7\\xfcM\\xaa?c&#91;\\x91;\\xaf\\xf39\\xfd\\xc4q\\x9a*f\\x8cn4Q\\xec\\x8e\\x9es\\xdf|&gt;\\xb3Z\\xda\\x85\\x9a\\x12\\x1d\\xba`\\x8cc\\xb53Q\\x82\\xfavm\\x90n\\xcf\\xfbc\\xfch\\xa2\\xbe~8\\xd9\\xa9\\xf3Y~?\\xe6vK+\\xa4\\xe0\\xa3\\xcc\\xff\\x00\\x0f\\xf29\\xeb\\xad\\x03U\\x9f\\xa5\\xb8\\x1e\\x99\\x91\\x7f\\xc6\\xb0.\\xfc%\\xae8$X\\xff\\x00\\xe4T\\xff\\x00\\xe2\\xa8\\xa2\\xbbVs]+Y~?\\xe6D2z\\x09\\xde\\xef\\xf0\\xff\\x00#4\\xf8'Y\\xcf6\\xea\\x0fq\\xe6\/\\x1f\\xad\\x14QS\\xfd\\xa7Y\\xf4_\\xd7\\xcc\\xdf\\xea4\\xbb\\xb3\\xff\\xd9\n#close\t2023-04-20-12-16-33<\/code><\/pre>\n\n\n\n<p>At this point the commands in the payloads could be split with the following function:<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.zeek.org\/en\/master\/scripts\/base\/bif\/strings.bif.zeek.html#id-split_string\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/docs.zeek.org\/en\/master\/scripts\/base\/bif\/strings.bif.zeek.html#id-split_string<\/a><\/p>\n\n\n\n<p>But, since we don&#8217;t know what delimiter the attackers will use I chose to leave the full string in the log.  <\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Fixing The PCAP<\/h2>\n\n\n\n<p>Hah hah, not so fast!  Now you would think this code would work with the PCAP referenced throughout this article, wouldn&#8217;t you?  Well the PCAP, as downloaded from Any.Run, cuts the C2 connection short and therefore the Spicy analyzer will not detect it as njRAT.  I fixed the PCAP by removing the last fragment of the C2 communications and saved it here:<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/keithjjones\/zeek-njrat-detector\/tree\/master\/testing\/Traces\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/github.com\/keithjjones\/zeek-njrat-detector\/tree\/master\/testing\/Traces<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">njRAT IOCs And Zeek&#8217;s Intelligence Framework<\/h2>\n\n\n\n<p>We also see that Any.Run has some IOCs listed for this sample:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SHA256:  3f1a2a27304c02ea6e56bfd81b0bfc4cf8db5040c23f854d09b6728b1803a8b9\n\nDomain:  7.tcp.eu.ngrok.io\n\nIP:  3.68.56.232<\/code><\/pre>\n\n\n\n<p>While not as robust as our Spicy njRAT C2 analyzer, we can add IOCs to <a href=\"https:\/\/docs.zeek.org\/en\/master\/frameworks\/intel.html\" target=\"_blank\" rel=\"noopener\" title=\"\">Zeek&#8217;s intelligence framework<\/a> with the following function:<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.zeek.org\/en\/master\/scripts\/base\/frameworks\/intel\/main.zeek.html#id-Intel::insert\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/docs.zeek.org\/en\/master\/scripts\/base\/frameworks\/intel\/main.zeek.html#id-Intel::insert<\/a><\/p>\n\n\n\n<p>The code I used was:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\tlocal intel_item = &#91;$indicator=\"7.tcp.eu.ngrok.io\", $indicator_type=Intel::DOMAIN, $meta=&#91;$source=\"njRAT\", $url=\"https:\/\/app.any.run\/tasks\/72f74893-b9dc-4b1d-9d55-39e0eae86bda\/#\"]];\n\tIntel::insert(intel_item);\n\n\tintel_item = &#91;$indicator=\"3.68.56.232\", $indicator_type=Intel::ADDR, $meta=&#91;$source=\"njRAT\", $url=\"https:\/\/app.any.run\/tasks\/72f74893-b9dc-4b1d-9d55-39e0eae86bda\/#\"]];\n\tIntel::insert(intel_item);\n\n\tintel_item = &#91;$indicator=\"3f1a2a27304c02ea6e56bfd81b0bfc4cf8db5040c23f854d09b6728b1803a8b9\", $indicator_type=Intel::FILE_HASH, $meta=&#91;$source=\"njRAT\", $url=\"https:\/\/app.any.run\/tasks\/72f74893-b9dc-4b1d-9d55-39e0eae86bda\/#\"]];\n\tIntel::insert(intel_item);<\/code><\/pre>\n\n\n\n<p>And we load the intelligence framework with the following load commands:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>@load frameworks\/intel\/seen\n@load base\/frameworks\/intel\/files.zeek<\/code><\/pre>\n\n\n\n<p>Now, the intel.log for this PCAP looks like the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#separator \\x09\n#set_separator\t,\n#empty_field\t(empty)\n#unset_field\t-\n#path\tintel\n#open\t2023-04-20-12-44-15\n#fields\tts\tuid\tid.orig_h\tid.orig_p\tid.resp_h\tid.resp_p\tseen.indicator\tseen.indicator_type\tseen.where\tseen.node\tmatched\tsources\tfuid\tfile_mime_type\tfile_desc\n#types\ttime\tstring\taddr\tport\taddr\tport\tstring\tenum\tenum\tstring\tset&#91;enum]\tset&#91;string]\tstring\tstring\tstring\n1681921215.261590\tC1Xkzz2MaGtLrc1Tla\t192.168.100.204\t52145\t192.168.100.2\t53\t7.tcp.eu.ngrok.io\tIntel::DOMAIN\tDNS::IN_REQUEST\tzeek\tIntel::DOMAIN\tnjRAT\t-\t-\t-\n1681921215.341329\tCqlVyW1YwZ15RhTBc4\t192.168.100.204\t49228\t3.68.56.232\t15145\t3.68.56.232\tIntel::ADDR\tConn::IN_RESP\tzeek\tIntel::ADDR\tnjRAT\t-\t-\t-\n#close\t2023-04-20-12-44-15<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">KilerRAT<\/h2>\n\n\n\n<p>Note this will work for RAT variants, like KilerRAT too:<\/p>\n\n\n\n<p><a href=\"https:\/\/cybersecurity.att.com\/blogs\/labs-research\/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/cybersecurity.att.com\/blogs\/labs-research\/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off<\/a><\/p>\n\n\n\n<p>KilerRAT uses the following delimiter instead:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>|kiler|<\/code><\/pre>\n\n\n\n<p>Since the delimiter was not hard coded into our detector, we will still detect this variant.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Source Code<\/h2>\n\n\n\n<p>You can install or see the full source code of this package from:<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/keithjjones\/zeek-njrat-detector\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/github.com\/keithjjones\/zeek-njrat-detector<\/a><\/p>\n\n\n\n<p>You can install this package with:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zkg install https:\/\/github.com\/keithjjones\/zeek-njrat-detector<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">More Info<\/h2>\n\n\n\n<p>Here is a good link with more info: <a href=\"https:\/\/hidocohen.medium.com\/njrat-malware-analysis-198188d6339a\">https:\/\/hidocohen.medium.com\/njrat-malware-analysis-198188d6339a<\/a><\/p>\n\n\n\n<p>You can read an update here: <a href=\"https:\/\/drkeithjones.com\/index.php\/2023\/05\/22\/njrat-bladabindi-zeek-detector-update-zeek-roulette-1-part-2\/\" title=\"njRAT\/Bladabindi Zeek Detector Update \u2013 Zeek Roulette #1 Part 2\">njRAT\/Bladabindi Zeek Detector Update \u2013 Zeek Roulette #1 Part 2<\/a><\/p>\n\n\n\n<p>If none of this made sense to you, <a href=\"https:\/\/www.youtube.com\/playlist?list=PLNEVgQAFtunt8SmBf2qjXW5AZf0wkbGip\" target=\"_blank\" rel=\"noopener\" title=\"\">check out my Zeek videos over at YouTube<\/a> to learn more of the technology in this article.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to the first edition of Zeek Roulette, where I pick a random Zeek topic and try to solve it! For this article I picked njRAT malware from Any.Run and tried to write a detector for it. There is a copy of the njRAT malware, PCAP, and its analysis available here: https:\/\/app.any.run\/tasks\/72f74893-b9dc-4b1d-9d55-39e0eae86bda\/# If you download [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[144,74,140,91,24,5,61,4,145],"tags":[143,141,142,28,27],"class_list":["post-830","post","type-post","status-publish","format-standard","hentry","category-detection","category-how-to","category-malware","category-open-source","category-pcaps","category-spicy","category-tools","category-zeek","category-zeek-roulette","tag-detection","tag-malware","tag-njrat","tag-spicy","tag-zeek"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/comments?post=830"}],"version-history":[{"count":0,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/830\/revisions"}],"wp:attachment":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/media?parent=830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/categories?post=830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/tags?post=830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}