Variants or Other Possible Names: njRAT, Iniduoh.
This RAT (Remote Access Trojan) has been around for a while, and was first posted by FireEye. It is a pretty nasty RAT, but is quite easy to find in log files. I will brush over the indicators on FireEye's website, as well as some other indicators not listed.
Remote Host Connections:
The author is fascinated with no-ip.info and zapto.org, so start your search with those domains. Below are several other domains used by the RAT:
- j2w2d.no-ip.biz (188.8.131.52)
- qwqhack.no-ip.biz (184.108.40.206)
HTTP URI Indicators:
HTTP Request Methods:
User-agent String Values:
This is an easy catch. The below value is used as a separator in the user-agent string field:
Associated Snort Rule:
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; classtype:trojan-activity; sid:28817; rev:3;)
Search in the user-agent string field.
I was never able to find much information for this RAT and I hope it helps you out in your searches.