AND AUTOMATED DEFENSE STRATEGIES FOR DETECTING AND PREVENTING RAT MALWARE PRESENTED BY: LINDA BSHARAT lara shahrori lana khdair REVERSE ENGINEERING Used for full device control, keylogging, data theft, and delivering payloads. WHAT IS NJRAT? A Remote Access Trojan (RAT) that emerged in 2013. Popular on dark web forums due to ease of use and powerful features. Relies on Command and Control (C2) servers for executing commands. WHY IS IT DANGEROUS? Easy to use and widely available on the dark web. Enables remote control over infected devices. 1 2 3 Bypasses traditional antivirus solutions. 4 Uses obfuscation techniques to avoid detection. Communicates with C2 servers for data exfiltration 5 REVERSE ENGINEERING Understand malware behavior, extract Indicators of Compromise (IoCs), and develop defense strategies. Objectives: Understand malware behavior (propagation, C2 communication, attack execution). Extract IoCs (IPs, domain names, malicious files). Develop defense strategies (IDS rules, antivirus updates). RESEARCH OBJECTIVES Examine persistence techniques used by njRAT (encryption, registry key modifications). Explore C2 communication and data exfiltration methods. Develop automated defense mechanisms using Snort and pfSense. Demonstrate custom rule creation for blocking malicious activity. Analyze njRAT samples using reverse engineering (static and dynamic techniques). RESEARCH METHODOLOGY Reverse Engineering Static Analysis Dynamic Analysis Automated Analysis Develop Defense Mechanism & Prevention 1 . Static Analysis: Analyze malware without execution. Dynamic Analysis: Observe malware behavior during execution. 2 . Use APIs like VirusTotal to gather dynamic behavior reports. 3 . Develop custom Snort rules for real-time threat detection. Detecting and Preventing Automated Analysis: Reverse Engineering: STATIC ANALYSIS 1 2 3 Determine file type and architecture. Generate hash for antivirus database checks. Extract strings to reveal functionality and IoCs. Identify obfuscation techniques (packers, cryptors). Analyzing executables without execution. Steps: 4 PESTUDIO 1 Strings Exeinfo PE tool A warning about the difficulty of unpacking the protection using the NETRec tool. 2 DnSpy tool Obfuscation function: A powerful programming tool for .NET reverse engineering. It lets you decompile, inspect, and edit .NET assemblies. The malware sample we looked at used code obfuscation techniques which made it hard to analyze manually. As shown in the figure. 3 Tool Name Category Description Purpose in Research PEStudio Static Analysis A tool for analyzing PE files, extracting metadata, strings, and imports. Used to analyze the structure of the njRAT malware and identify suspicious indicators. Exeinfo PE Static Analysis A tool for detecting obfuscation and packing in PE files. Helped identify obfuscation techniques used by njRAT. DnSpy Static Analysis A .NET decompiler and debugger for reverse engineering .NET assemblies. Used to decompile and analyze the .NET code of njRAT, despite obfuscation. STATIC ANALYSIS DYNAMIC ANALYSIS It involves examining malware while running to observe its behavior, and network activity in real-time. Monitored suspicious processes : PROCESS HACKER 1 The process exhibited unusual characteristics, including its obscure, seemingly encrypted name, often a trait of malware attempting to obfuscate its activity. PROCESS MONITOR ( PROCMON ) 2 PROCESS MONITOR ( PROCMON ) 2 Action Tab Observation: Malicious software (VbxFiQYCyFDgGL.exe) is set to run via a scheduled task. Detection: Identified the attacker-added task, revealing persistence mechanism. The task runs under specific conditions, aiding persistence, but disabled triggers may prevent execution in some scenarios. WIRESHARK 3 WIRESHARK WAS USED TO CAPTURE NETWORK TRAFFIC AND ANALYZE COMMUNICATION BETWEEN THE MALWARE AND ITS COMMAND AND CONTROL (C2) SERVERS. REGSHOT 4 Regshot was used to monitor changes to the system registry and file system. The malware added new registry keys under : DYNAMIC ANALYSIS 1 2 3 Suspicious processes with encrypted names. Code injection into legitimate processes. Key Findings : Persistence Mechanisms : Network Activity : Process Activity: Created scheduled tasks using schtasks.exe. Modified registry keys for startup execution. Outbound connections to C2 servers Data exfiltration attempts with encoded information. Dynamic Analysis Tool Name Category Description Purpose in Research Process Hacker Dynamic Analysis A tool for monitoring running processes and system resources. Captured and analyzed njRAT's C2 communication and data exfiltration attempts. Process Monitor Dynamic Analysis A tool for monitoring file system, registry, and process activity. Logged system calls and modifications made by njRAT during execution. Wireshark Dynamic Analysis A network protocol analyzer for capturing and analyzing network traffic. Used to decompile and analyze the .NET code of njRAT, despite obfuscation. Regshot Dynamic Analysis A tool for comparing registry snapshots before and after malware execution. Tracked registry changes made by njRAT for persistence and evasion. AUTOMATED DEFENSE STRATEGIES FOR DETECTING AND MITIGATING NJRAT MALWARE AUTOMATED ANALYSIS USING APIS Network Connections : HTTP, HTTPs 1 2 3 Registry keys created and modified. Maliciousness Prediction. 4 Processes initiated by the file. Collected dynamic behavior reports. Summarized data from VirusTotal using Gemini API . AUTOMATED DEFENSE WITH SNORT AND PFSENSE (IDS & IPS) Collected suspicious IPs and ports from VirusTotal and Gemini APIs. IP Traffic Data Extraction Automatically generated rules using Drop and Alert actions. Snort Rule Generation Updated rules, restarted Snort, and checked logs for threat prevention. Rule Deployment 1 2 3 Deployed as IDS and IPS using snort on pfSense. Enabled real-time updates and monitoring using python Script KEY FINDINGS AND CONCLUSION Static Analysis Revealed file structure, API calls, and obfuscation techniques. Identified high entropy and suspicious indicators (e.g., generic file names). Dynamic Analysis Uncovered persistence mechanisms (scheduled tasks, registry modifications). Detected C2 communication and data exfiltration attempts. Automated Analysis Provided detailed behavioral data (network connections, DNS lookups). Identified malicious IPs and domains for C2 communication. Snort Integration Successfully blocked malicious traffic in real-time using custom rules. Impact: This approach can be extended to other malware types. Enhances network security through automated detection and prevention. THANK YOU image1.png image2.svg image3.png image4.svg image5.png image6.svg image7.png image8.svg image15.png image16.svg image17.png image18.svg image19.png image20.svg image9.png image10.svg image11.png image12.svg image13.png image14.svg image21.png image22.png image23.svg image24.jpeg image25.jpeg image26.jpeg image27.png image28.svg image31.svg image32.png image33.svg image29.png image30.png image34.png image35.png image36.svg image37.gif image38.png image39.svg image40.png image41.png image42.svg image43.png image44.png image45.png image46.png image47.png image48.jpeg image49.png image50.png image51.png image52.png image53.jpeg image56.jpeg image54.png image55.svg image57.png image58.jpeg image59.png image60.svg image61.png image62.svg /docProps/thumbnail.jpeg