Kjw0rm and Sir DoOom are Njw0rm's evolutionary step

Jan 23, 2015 12:12 GMT  ·  By

The code for Njw0rm RAT (remote access Trojan) leaked in May 2013 on a website hosting malicious software is believed to have served as starting point for cybercriminals to create new malware pieces.

Kjw0rm (v2.0 and v0.5x) and Sir DoOom share similarities with Njw0rm, also known as njrat, in terms of functionality, but the authors of the new threats added some features of their own.

Threats rely on a similar infection method

Although the two pieces have been coded in Visual Basic Script and the original was built with AutoIT, there are similarities that cannot be overlooked, such as the propagation method used.

Michael Marcos, threat response engineer at Trend Micro, says that all three threats infect the computer via removable devices and create shortcut icons for legitimate folders that point to the malware.

However, Sir DoOom creates itself a set of folders (Videos, Pictures, Movies, Games, and DCIM) used for the shortcuts leading to the malicious executable. Kjw0rm, on the other hand, simply hides the folders available in the root of the removable storage device and creates the links that look like them.

The evolution is clear in both variants of Kjw0rm and in Sir DoOom, as more information is available in the control panel of the malware builder. There is the possibility to check for installed security products (antivirus, firewall), .NET versions, as well as system information (CPU, GPU, product ID and key).

Authors increase functionality

The capabilities have been increased to include malware management (close, uninstall, restart), run remote shell, download and execute files. In the case of Sir DoOom the authors also integrated bitcoin mining functionality.

Both Kjw0rm and Sir DoOom integrate anti-analysis mechanisms that include detection of virtual machines. If such an isolated environment is identified, the malware simply uninstalls and terminates its activity, making security researchers’ work more difficult.

Marcos recommends users to keep a vigilant eye at the resources available on removable drives that come from suspicious or untrusted sources and check for shortcuts named after legitimate folders. This would be an indication that malicious activity is to be carried out.

“To stay protected against these new threats, we advise users to refrain from plugging removable drives that came from unknown computers or computers that aren’t protected by security solutions. Avoid opening and installing programs from unknown web sources,” he added in a blog post.