Njrat Campaign Using Microsoft Dev Tunnels

Feb. 27, 2025, 3:48 p.m.

Description

A new Njrat malware campaign has been detected utilizing Microsoft's dev tunnels service for command and control (C2) communication. This service, designed for developers to securely expose local services to the internet, is being exploited by the malware to establish connections with C2 servers. Two samples were identified with different dev tunnel URLs but identical Import Hashes. The malware sends status updates to the C2 server and can potentially propagate through USB devices. A configuration file extracted from one sample reveals details about the C2 server, ports, and botnet name. The article suggests monitoring DNS logs for 'devtunnels.ms' as a defensive measure against this threat.

External References

https://isc.sans.edu/diary/rss/31724
https://otx.alienvault.com/pulse/67c07458e68d092fa57e1456
Tags
njrat
malware campaign
c2 communication
usb propagation
2025-02-27
microsoft dev tunnels

Date

  • Created: Feb. 27, 2025, 2:19 p.m.
  • Published: Feb. 27, 2025, 2:19 p.m.
  • Modified: Feb. 27, 2025, 3:48 p.m.

Indicators

  • 9ea760274186449a60f2b663f535c4fbbefa74bc050df07614150e8321eccdb7
  • 0b0c8fb59db1c32ed9d435abb0f7e2e8c3365325d59b1f3feeba62b7dc0143ee
  • https://nbw49tk2-27602.euw.devtunnels.ms/
  • https://nbw49tk2-25505.euw.devtunnels.ms/
  • nbw49tk2-25505.euw.devtunnels.ms
  • nbw49tk2-27602.euw.devtunnels.ms
Download all indicators here!

Attack Patterns

  • LV
  • Bladabindi
  • Njw0rm
  • njRAT - S0385
  • T1091
  • T1547.001
  • T1021
  • T1573
  • T1105
  • T1071
  • T1132
  • T1041