Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Njw0rm Source Code Used to Create New RATs

Malware developers have used the source code of the remote access tool (RAT) Njw0rm to create two new RATs, researchers at Trend Micro reported on Thursday.

Malware developers have used the source code of the remote access tool (RAT) Njw0rm to create two new RATs, researchers at Trend Micro reported on Thursday.

Njw0rm is a variant of njRAT, a tool believed to be developed by a Kuwait-based individual. In June 2014, Microsoft announced the results of an operation targeting njRAT (Bladabindi) and Njw0rm (Jenxcus). At the time, the company noted that cybercriminals could create their own versions of the malware because the necessary information and packages were available on public forums.

Trend Micro says the source code of Njw0rm was published on hacker forums in May 2013, after which cybercriminals started creating new pieces of malware based on the threat.

One of the new RATs is Kjw0rm. Version 2.0 of the malware was first spotted by the security firm in January 2014. Kjw0rm 0.5X and a new worm dubbed Sir DoOom emerged in December 2014.

njRAT evolution

The new pieces of malware come with an enhanced control panel and they include several new features not seen in Njw0rm. In addition to information on the victim’s IP address, location, operating system, and USB devices, Kjw0rm’s control panel includes data on installed antiviruses (v2.0) and the presence of the .NET framework (v0.5x). Sir Do0om, on the other hand, also provides the botmaster with information on RAM, firewalls, antiviruses, CPU/GPU, and product details (name, ID, key).

As far as functions are concerned, Njw0rm can execute commands and files, steal credentials, and receive updates from the attacker. The Kjw0rm RATs allow their master to shut down or restart the computer, open Web pages, and download and execute files and code.

Sir Do0om is even more interesting since it can be used to mine Bitcoin, launch DDoS attacks, control computers based on a timer, display messages, terminate antivirus processes, and open a website related to Quran, the central religious text of Islam. This RAT is also designed to terminate itself if the presence of a virtual machine is detected.

Just like Njw0rm, the new threats are designed to propagate via removable devices. They hide some or all the folders found on the infected device and create shortcut links pointing to the malware with the names of the hidden folders.

“This evolution shows that the malware authors are becoming more active in developing new malware and using njw0rm as a template. Because of this pattern, we can expect to see more variants of this malware in the future,” Trend Micro threat response engineer Michael Marcos said in a blog post.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.