Home Malware Programs Backdoors Backdoor.Ratenjay

Backdoor.Ratenjay

Posted: July 5, 2013

Backdoor.Ratenjay (njRAT) is a Remote Access Tool (or RAT) and backdoor Trojan that is especially popular among cybercrooks in the Middle East. Because Backdoor.Ratenjay includes general functions for letting ill-minded persons take over your PC, as well as ones intended to track private information or assist other threats, Backdoor.Ratenjay is rated as a high-level threat. While using anti-malware software for removing Backdoor.Ratenjay, malware experts recommend that you pay attention to peripheral devices that could be compromised, particularly since variants of Backdoor.Ratenjay, like Njw0rm, include self-copying functions.

The RAT that's Responsible for Sniffing out Your Passwords

Backdoor.Ratenjay is one of the most generically useful (for illicit activities) types of threats in existence: the Remote Access Tool, a program that allows outsiders to browse your PC and modify its contents at their leisure. Just like the Bancos banking Trojans that prefer to target South America, Backdoor.Ratenjay has its own regional specialty and is most often seen in Saudi Arabia, Libya, Egypt and other localities in the Middle East. Some, but not all versions of Backdoor.Ratenjay also include worm functions, which can allow them to place copies onto peripheral hard drives. To stop Backdoor.Ratenjay's distribution, malware experts discourage sharing these devices until anti-malware products have disinfected them.

However, even if you confine Backdoor.Ratenjay to a single machine, its attacks are potent, with tens of thousands of separate PCs already infected and added to its botnet. Some functions of Backdoor.Ratenjay that malware analysts feel are worth outlining include:

  • Spyware-related features that allow Backdoor.Ratenjay to track information from the compromised computer. Backdoor.Ratenjay may take screenshots, record your keyboard's keystrokes or even monitor your webcam input.
  • Backdoor functions let Backdoor.Ratenjay place your PC into a botnet, wherein commands may be distributed to force the infected machine to partake in practices such as spamming or DDoS attacks. These attacks may have few or no symptoms for the infected PC, other than the increase in network traffic.
  • Backdoor.Ratenjay may be used to read and modify various system-critical files, particularly the Registry. These functions may disable security features that are necessary for your PC's safety.
  • Backdoor.Ratenjay may also install other files, including additional threats and external components.

Why Backdoor.Ratenjay is a RAT that's at Home in the Desert Heat

Backdoor.Ratenjay has had ample distribution and development since at least 2013, but is an especial worry to Middle Easterners. That worry is in part thanks to its original developer, @njq8, who provides updates to the RAT, along with tutorials, with a focus on Arabic audiences. These materials allow cybercrooks to use Backdoor.Ratenjay for a range of diverse purposes, and the overall consequences of allowing a single Backdoor.Ratenjay infection to rampage unchecked only can be estimated, rather than predicted with any definitive certainty. Malware researchers also estimate that Backdoor.Ratenjay may be playing a part in the ongoing political conflicts in that region, such as the recent war in Libya – albeit on both sides, more likely than not.

Backdoor.Ratenjay is implemented in such a way as to avoid being detected or removed whenever possible, and may exhibit slight differences in behavior between variants. General anti-malware procedures are recommended for deleting Backdoor.Ratenjay, which allows third parties to access any compromised PCs with a high level of control.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%SystemDrive%\! My Picutre.SCR File name: %SystemDrive%\! My Picutre.SCR
Mime Type: unknown/SCR
%DriveLetter%\! My Picutre.SCR File name: %DriveLetter%\! My Picutre.SCR
Mime Type: unknown/SCR
%Temp%\[THREAT FILE NAME].exe File name: %Temp%\[THREAT FILE NAME].exe
File type: Executable File
Mime Type: unknown/exe
%ProgramFiles%\Startup\[RANDOM NAME].exe File name: %ProgramFiles%\Startup\[RANDOM NAME].exe
File type: Executable File
Mime Type: unknown/exe

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%Temp%\[THREAT FILE NAME]" = "%Temp%\[THREAT FILE NAME]:*:Enabled:[THREAT FILE NAME]"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[DIGITS AND NUMBERS]" = "\%Temp%\[THREAT FILE NAME]\"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[DIGITS AND NUMBERS]" = "%Temp%\[THREAT FILE NAME]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[DIGITS AND NUMBERS]" = "\%Temp%\[THREAT FILE NAME]\"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[DIGITS AND NUMBERS]" = "%Temp%\[THREAT FILE NAME]"

Related Posts

Loading...