14 DAY TRIAL // A Windows worm propagating through removable drives has been observed by Trend Micro spreading the BLADABINDI Trojan with backdoor, DDoS and RAT capabilities.
The BLADABINDI Trojan has been used in multiple cyberespionage campaigns because of high adaptability which allows bad actors to tailor it for specific targets, seeing that it can be used as a backdoor, for performing DDoS attacks when using it as a botnet, and for exfiltrating user info using its keylogger module.
Trend Micro spotted a new malware campaign which supposedly uses a Windows worm strain the security company dubbed Worm.Win32.BLADABINDI.AA to install a fileless version of the BLADABINDI backdoor.
BLADABINDI uses the AutoIt scripting language to compile both its dropper script and the payload it drops on compromised machines while using UPX packing to obfuscate itself making detection a lot harder.
Once the Trojan reaches a new system, it will look for and delete Tr.exe binaries from the temp folder and installs its version of it, while also making sure it achieves persistence by copying itself into the Windows Startup folder and creating an AdobeMX registry entry which uses reflective loading to load the malware from memory.
This BLADABINDI variant uses multiple techniques to achieve persistence
Loading the malware from the system memory makes BLADABINDI a fileless malware allowing it to go undetected by anti-malware solutions that only scan the system drives.
"Since the executable is loaded directly from the registry to the memory of PowerShell, we were able to dump the specific address where the malicious executable is located," said Trend Micro in their analyis. "And we found out that it is .NET-compiled, which uses a commercial code protector software for obfuscation."
This BLADABINDI strain comes with multiple backdoor tools from keylogging and stealing credentials from web browsers to retrieving and executing files.
The fact that this BLADABINDI variant uses removable drives to spread itself makes it especially dangerous for enterprises and users who use such devices to share documents.
"Restrict and secure the use of removable media or USB functionality, or tools like PowerShell (particularly on systems with sensitive data), and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators such as C&C communication and information theft," advises Trend Micro.