Search here...
Subscribe
Cybersecurity

Njrat Campaign Using Microsoft Dev Tunnels

By: jfsjg

Date:

Share post:

I spotted new  Njrat[1] samples that (ab)use the Microsoft dev tunnels[2] service to connect to their C2 servers. This is a service that allows developers to expose local services to the Internet securely for testing, debugging, and collaboration. It provides temporary, public, or private URLs that will enable remote access to a development environment without deploying code to production. Dev tunnels create a secure, temporary URL that maps to a local service running on your machine, they work across firewalls and NAT, and their access can be restricted. This is a service similar to the good old ngrok[3].

Here are two samples: 

  • dsadasfjamsdf.exe (SHA256: 0b0c8fb59db1c32ed9d435abb0f7e2e8c3365325d59b1f3feeba62b7dc0143ee[4])

  • c3df7e844033ec8845b244241c198fcc.exe (SHA256: 9ea760274186449a60f2b663f535c4fbbefa74bc050df07614150e8321eccdb7[5])

They use different dev tunnel URLs but their ImpHash (Import Hash) is the same (f34d5f2d4577ed6d9ceec516c1f5a744):

  • hxxps://nbw49tk2-25505[.]euw[.]devtunnels[.]ms/

  • hxxps://nbw49tk2-27602[.]euw[.]devtunnels[.]ms/

This is the code where the malware will send its status to the C2 server:

The variable “OK.HH” contains the dev tunnel URL. At the end, a “text” variable is created to contain the status of the malware capabilities (True or False). Note the “OK.usb” variable: If set to True, the malware will try to propagate through USB devices:

Here is one of their extracted config:


{
  "C2": "hxxps://nbw49tk2-25505[.]euw[.]devtunnels[.]ms/",
  "Ports": "25505",
  "Botnet": "HacKed",

Conclusion: If you don’t use the Microsoft service, hunting for devtunnels[.]ms in your DNS logs is a good idea!

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

[2] https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview

[3] https://ngrok.com

[4] https://www.virustotal.com/gui/file/0b0c8fb59db1c32ed9d435abb0f7e2e8c3365325d59b1f3feeba62b7dc0143ee/detection

[5] https://www.virustotal.com/gui/file/9ea760274186449a60f2b663f535c4fbbefa74bc050df07614150e8321eccdb7/detection

Xavier Mertens (@xme)

Xameco

Senior ISC Handler – Freelance Cyber Security Consultant

PGP Key

Source link

Previous article
Top-spec 6800Mhz DDR5 deal spotted with best ever price
Next article
AMD Schola – AMD GPUOpen
jfsjg
jfsjghttps://onusn.com
spot_img

Related articles

Cybersecurity

When cybercriminals eat their own – Sophos News

At Sophos X-Ops, we often get queries from our customers asking if they’re protected against certain malware variants....
Hardware Releases

Cat6 vs Cat6a – Which Ethernet Cable Should You Buy in 2025?

Introduction We all know that the selection of cable significantly impacts internet speed, internet connection stability, and the ability...
Software Updates & Reviews

Opportunities for AI in Accessibility – A List Apart

In reading Joe Dolson’s recent piece on the intersection of AI and accessibility, I absolutely appreciated the skepticism...
Tech Trends & Innovations

Amazon Restocks Anker 100W USB-C Fast Charger with 3 Ports, Now Available at Nearly 40% Off

Follow us

Stay informed with OnUSN, your go-to news portal for the latest updates in Business & Economy, Cars, Food, Music, Science, and current events.

Company

Contact Us

(855) 767-6716
support@onusn.com
708 S James Ave, Monahans, TX 79756

Popular news

When cybercriminals eat their own – Sophos News

Cybersecurity
At Sophos X-Ops, we often get queries from our...

Cat6 vs Cat6a – Which Ethernet Cable Should You Buy in 2025?

Hardware Releases
Introduction We all know that the selection of cable significantly...

Opportunities for AI in Accessibility – A List Apart

Software Updates & Reviews
In reading Joe Dolson’s recent piece on the intersection...

© 2025 onusn.com. All Rights Reserved.