Njrat Malware Campaign Leveraging Microsoft Dev Tunnels: New Insights

2025-02-28

In the world of cybersecurity, cybercriminals are constantly evolving their tactics, often taking advantage of legitimate services to carry out their malicious activities. One such example is the recent discovery of the Njrat malware using Microsoft’s Dev Tunnels service to connect to its Command-and-Control (C2) servers. Dev Tunnels, primarily designed to facilitate secure remote access for developers, have now become a new method for attackers to establish covert communications. In this article, we will explore how this malware utilizes Dev Tunnels, the technical details surrounding the samples, and how defenders can better track these threats.

Summary:

The Njrat malware family has been spotted exploiting Microsoft’s Dev Tunnels service to establish a secure connection to its C2 servers. Dev Tunnels, a service offered by Microsoft, enables developers to expose local services to the Internet, typically for debugging or testing purposes. However, attackers have taken advantage of this service to send malicious commands and data back and forth without being easily detected.

Two distinct samples of the malware, identified by their SHA256 hashes, are being used in the campaign. Despite differing tunnel URLs, both share the same Import Hash (ImpHash). The malware communicates with its C2 servers using these URLs, sending status updates and receiving instructions. Additionally, the malware is capable of propagating itself through USB devices, which can significantly enhance its spread.

The malware configuration further reveals details like the C2 server URL, ports, and options for auto-execution. One recommendation for defenders is to monitor DNS logs for any suspicious devtunnels.ms traffic to detect the malware’s activity.

What Undercode Says:

The discovery of the Njrat malware leveraging Microsoft’s Dev Tunnels service highlights the growing trend of cybercriminals using legitimate tools for nefarious purposes. As more developers rely on services like Dev Tunnels for secure and temporary connections to their local services, it’s likely that attackers will continue to exploit these services to avoid detection.

The technical aspects of the attack are interesting, as the malware utilizes a common C2 infrastructure — a tactic that has been observed with other malware families that aim to remain undetected. The ability of Njrat to use seemingly harmless services such as Dev Tunnels to disguise its traffic is a testament to the ingenuity of modern cybercriminals. By using these public services, attackers can bypass traditional firewalls and security measures that are in place to filter out unauthorized or suspicious traffic. This also presents a significant challenge for network defenders, as it’s difficult to differentiate legitimate developer activity from malicious traffic.

Moreover, the inclusion of USB propagation capabilities adds another layer of complexity. It suggests that the malware can spread across networks in a stealthy manner, leveraging USB drives as vectors for further infection. This is particularly concerning for organizations where users frequently plug in external devices, unknowingly infecting entire networks.

The malware configuration itself also sheds light on the attacker’s strategy. The use of registry keys for auto-execution ensures that the malware is persistent across reboots, making it difficult to remove once installed. The communication between the malware and the C2 servers appears to be tightly controlled, with the malware checking in for updates and status reports. The botnet name “HacKed” indicates a potential effort to further humanize the attack, possibly as part of a larger social engineering scheme.

The malware’s reliance on Dev Tunnels for communication is an interesting case study in how cybercriminals adapt to security measures. While traditional methods of remote access often involve VPNs or compromised servers, Dev Tunnels provide an effective workaround. Given that these services are designed to be secure and temporary, they are not generally flagged by security systems, making them ideal for malicious actors.

Organizations need to stay vigilant and update their security measures to account for these emerging threats. Monitoring DNS traffic, particularly for domains associated with Dev Tunnels or other tunneling services, could provide an early warning sign of malware activity.

Fact Checker Results:

Accuracy of Malware’s Usage of Dev Tunnels: Verified, as Microsoft Dev Tunnels can indeed be used for remote service access, which was exploited by the attackers.
C2 Server URLs: Confirmed to be active and associated with the identified malware samples.
Propagation Through USB Devices: The malware’s configuration includes USB propagation, which is consistent with known capabilities of Njrat malware.