A remote access Trojan variant called "njRAT" has re-emerged, and it's written in .NET 4.0 rather than C/C++. How...
does this help malware evade detection? Are there any controls that should be implemented to detect malware written in different code like .NET?
Most malware is developed in such a way that it requires a minimal set of dependencies to execute in order to have the highest probability of success. This is because the malware author doesn't know if the external dependency is present on the target system or not. The external dependency could, for example, just be a software library or even the Java JRE. Malware authors haven't wanted to include external dependencies in their malware in order to reduce the size of the malware and avoid making changes that might increase its chances of being detected on the target system.
For this reason, malware authors are starting to adopt different external dependencies. Macro-viruses are one type of malware that won't operate without the macro-environment installed. This brings us to njRAT. Malware written using .NET has some similarities with macro-viruses in that the .NET malware won't run without the .NET environment installed on the endpoint. Fortunately for malware authors -- and unfortunately for enterprises -- .NET has many software development benefits, so it has been widely installed in enterprise networks.
Tools like Detekt can be used to identify the njRAT malware, along with other standard antimalware tools, with the one caveat around state-sponsored attackers not necessarily showing up in standard antimalware tool definitions. However, many antimalware providers have stated they do not ignore certain malware at the request of state-sponsored attackers.
Analysis of network connections for anomalous connections could also identify potentially compromised endpoints that require further investigation.
The standard steps to secure an endpoint -- such as patch management, configuration management and least privilege -- are necessary to preventing malware infections. And while not installing the .NET runtime would make it more difficult for the njRAT malware to attack a system, it is probably not feasible in many enterprise scenarios.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
View the tools that can help enterprises detect remote access Trojans
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work ... Continue Reading
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
A screaming channel attack is a new wireless threat making networks -- particularly those with IoT components -- vulnerable. Are there any safeguards... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.