← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Njrat Campaign Using Microsoft Dev Tunnels
WHITE AlienVault 2025-02-27 Modified: 2025-02-27
12
IOCs
MEDIUM VOLUME
A new Njrat malware campaign has been detected utilizing Microsoft's dev tunnels service for command and control (C2) communication. This service, designed for developers to securely expose local services to the internet, is being exploited by the malware to establish connections with C2 servers. Two samples were identified with different dev tunnel URLs but identical Import Hashes. The malware sends status updates to the C2 server and can potentially propagate through USB devices. A configuration file extracted from one sample reveals details about the C2 server, ports, and botnet name. The article suggests monitoring DNS logs for 'devtunnels.ms' as a defensive measure against this threat.
c2 communicationmalware campaignusb propagationnjratmicrosoft dev tunnels
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
njRAT - S0385 Njw0rm LV Bladabindi
Indicators of Compromise (12)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 05ab3ea12a0be22475e21c60242ce4a1 2025-02-27
FileHash-MD5 96903e1d3c6f9ac5bd32701a063197ae 2025-02-27
FileHash-MD5 af63c521a8fa69a8f1d113eb79855a75 2025-02-27
FileHash-MD5 c3df7e844033ec8845b244241c198fcc 2025-02-27
FileHash-SHA1 1cd8fb848cf6d02e69e62f2a480a6a6233c58450 2025-02-27
FileHash-SHA1 363214afa056787bcea690ab5c4c2d84218d2a34 2025-02-27
FileHash-SHA256 0b0c8fb59db1c32ed9d435abb0f7e2e8c3365325d59b1f3feeba62b7dc0143ee 2025-02-27
FileHash-SHA256 9ea760274186449a60f2b663f535c4fbbefa74bc050df07614150e8321eccdb7 2025-02-27
URL https://nbw49tk2-25505.euw.devtunnels.ms/ 2025-02-27
URL https://nbw49tk2-27602.euw.devtunnels.ms/ 2025-02-27
hostname nbw49tk2-25505.euw.devtunnels.ms 2025-02-27
hostname nbw49tk2-27602.euw.devtunnels.ms 2025-02-27
References (1)
↗ https://isc.sans.edu/diary/rss/31724