In the ever-evolving landscape of cyber threats, a new and sophisticated strain of malware has emerged, leveraging Microsoft’s dev tunnels service to connect to its command-and-control (C2) servers. This campaign, detailed in a recent threat report by Xavier Mertens, a senior ISC cyber security consultant, highlights the innovative tactics used by malicious actors to spread malware through USB devices.

The report, published on February 27, 2025, provides an in-depth analysis of this new strain of malware, which has been dubbed Njrat. This malware is particularly concerning because it exploits legitimate services like Microsoft’s dev tunnels, making it harder for traditional security measures to detect and mitigate the threat.

Microsoft’s dev tunnels service is designed to facilitate secure communication between development environments and remote servers. However, malicious actors have found a way to exploit this service to establish covert communication channels with their C2 servers. This allows them to control infected systems remotely and execute various malicious activities, including data exfiltration and further propagation of the malware.

One of the most alarming aspects of this campaign is its use of USB devices as a vector for spreading the malware. By infecting USB drives, attackers can easily transfer the malware to other systems without requiring direct network access. This method is particularly effective in environments where physical security measures are lax or non-existent.

The report by Xavier Mertens outlines several key tactics, techniques, and procedures (TTPs) employed by this new strain of Njrat malware. These include:

1. Initial Infection: The malware gains initial access to a system through infected USB devices. Once inserted into a computer, the malware automatically executes and establishes a connection to the C2 server via Microsoft’s dev tunnels service.

2. Command-and-Control Communication: After establishing an initial foothold, the malware communicates with its C2 servers using encrypted channels. This makes it difficult for security tools to detect and block the communication.

3. Data Exfiltration: The malware is capable of exfiltrating sensitive data from infected systems. This includes personal information, intellectual property, and other valuable assets.

4. Lateral Movement: Once inside a network, the malware can spread laterally to other connected devices. This is achieved through various methods, including exploiting vulnerabilities in software and using legitimate administrative tools.

5. Persistence Mechanisms: To ensure its continued presence on infected systems, the malware employs several persistence mechanisms. These include modifying system configurations, creating scheduled tasks, and injecting malicious code into legitimate processes.

The report also provides recommendations for mitigating the risks associated with this new strain of Njrat malware. Some of these recommendations include:

1. Enhanced Physical Security: Implement strict physical security measures to prevent unauthorized access to USB ports and other peripheral devices. This includes using hardware locks, biometric scanners, and other advanced security solutions.

2. Regular Software Updates: Ensure that all systems are regularly updated with the latest security patches. This helps to mitigate vulnerabilities that could be exploited by malware.

3. Network Segmentation: Implement network segmentation to limit the lateral movement of malware within a network. By isolating critical systems from less secure areas, organizations can reduce the risk of widespread infections.

4. Advanced Threat Detection: Deploy advanced threat detection tools that can identify and block malicious activities in real-time. This includes using machine learning algorithms and behavioral analysis to detect anomalies indicative of malware infection.

5. User Education: Conduct regular training sessions for employees on cybersecurity best practices. This includes educating them about the risks associated with USB devices and other potential vectors for malware infection.

6. Incident Response Planning: Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a malware infection. This should include procedures for containment, eradication, and recovery.

The report by Xavier Mertens serves as a timely reminder of the ever-present threat posed by cybercriminals. By staying informed about the latest TTPs and implementing robust security measures, organizations can better protect themselves against emerging threats like Njrat.

For additional information on this campaign, please refer to the external references provided in the report:

• https://isc.sans.edu/diary/rss/31724
• https://otx.alienvault.com/pulse/67c0541252daec01ad0617e8

Please check the following page for additional information: https://isc.sans.edu/diary/rss/31724