<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Njrat - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/njrat/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/njrat/feed.xml" rel="self" type="application/rss+xml"/><item><title>Windows Time-Based Evasion via Ping Delay</title><link>https://feed.craftedsignal.io/briefs/2024-01-time-based-evasion/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-time-based-evasion/</guid><description>This analytic detects potentially malicious processes initiating a ping delay using an invalid IP address, a tactic used by malware like NJRAT to evade detection by delaying actions.</description><content:encoded><![CDATA[<p>This detection focuses on identifying a specific time-based evasion technique employed by malware, including NJRAT. The technique involves initiating a ping command to an invalid IP address (&quot;ping 0 -n&quot;), which introduces a delay. This delay can be used to evade detection by security tools or to postpone malicious actions, such as self-deletion, until a later time. This behavior is typically observed on Windows endpoints and leverages the native <code>ping.exe</code> utility. The detection logic analyzes endpoint telemetry for command-line executions matching this pattern. Identifying and responding to this activity is crucial, as it indicates a potential attempt to evade security controls and maintain a persistent presence within the compromised environment. The timeframe for this technique has been observed since NJRAT's emergence and continues to be relevant as an evasion tactic.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the system (e.g., via phishing or exploit).</li>
<li>Malware (e.g., NJRAT) is deployed on the compromised endpoint.</li>
<li>The malware executes <code>ping.exe</code> with the argument <code>ping 0 -n &lt;seconds&gt;</code>.</li>
<li>The <code>ping</code> command attempts to resolve the invalid IP address, causing a delay.</li>
<li>During the delay, the malware may perform other malicious activities, such as collecting system information or establishing persistence.</li>
<li>After the delay, the malware continues its primary objective, which may include data exfiltration, remote control, or self-deletion.</li>
<li>The self-deletion is delayed through ping, so that security tools won't notice the malicious program present on the host.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using time-based evasion can allow malware to remain undetected for a longer period. This can lead to increased data exfiltration, prolonged remote access, and greater damage to the compromised system. Time-based evasion is a common technique among malware, potentially affecting a broad range of organizations. The impact includes increased dwell time for attackers, which gives them more opportunities to compromise sensitive data and systems. If successful, this evasion can lead to the deployment of ransomware or other destructive payloads.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Windows Time Based Evasion via Ping Delay</code> to identify processes executing the <code>ping 0 -n</code> command.</li>
<li>Investigate any identified instances of <code>ping.exe</code> with the <code>0 -n</code> argument to determine if it is associated with malicious activity.</li>
<li>Enable Sysmon process creation logging (Event ID 1) to capture the necessary command-line information for the detection.</li>
<li>Ensure that endpoint detection and response (EDR) agents are configured to collect and forward process execution data.</li>
<li>Review <code>https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat</code> for more information about NJRAT and its tactics.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>time-based-evasion</category><category>njrat</category><category>windows</category></item></channel></rss>