Njrat Campaign Using Microsoft Dev Tunnels
Feb. 27, 2025, 3:48 p.m.
Description
A new Njrat malware campaign has been detected utilizing Microsoft's dev tunnels service for command and control (C2) communication. This service, designed for developers to securely expose local services to the internet, is being exploited by the malware to establish connections with C2 servers. Two samples were identified with different dev tunnel URLs but identical Import Hashes. The malware sends status updates to the C2 server and can potentially propagate through USB devices. A configuration file extracted from one sample reveals details about the C2 server, ports, and botnet name. The article suggests monitoring DNS logs for 'devtunnels.ms' as a defensive measure against this threat.
Tags
Date
- Created: Feb. 27, 2025, 2:19 p.m.
- Published: Feb. 27, 2025, 2:19 p.m.
- Modified: Feb. 27, 2025, 3:48 p.m.
Indicators
- 9ea760274186449a60f2b663f535c4fbbefa74bc050df07614150e8321eccdb7
- 0b0c8fb59db1c32ed9d435abb0f7e2e8c3365325d59b1f3feeba62b7dc0143ee
- https://nbw49tk2-27602.euw.devtunnels.ms/
- https://nbw49tk2-25505.euw.devtunnels.ms/
- nbw49tk2-25505.euw.devtunnels.ms
- nbw49tk2-27602.euw.devtunnels.ms
Attack Patterns
- LV
- Bladabindi
- Njw0rm
- njRAT - S0385
- T1091
- T1547.001
- T1021
- T1573
- T1105
- T1071
- T1132
- T1041