Researchers have seen a new worm in the wild spreading a modern variant of the Bladabindi RAT (remote access tool). The worm, Worm.Win32.BLADABINDI.AA, spreads Bladabindi in a fileless form by propagating through removable drives and storage. Once infected, the RAT will work to duplicate a copy of itself on the removable drives of that particular system. A registry entry is also created to keep persistence. The entry itself is called AdobeMX. AdobeMX holds the ability to also load a PowerShell script, which, in turn, can load the malware through reflective loading. According to researchers, “This loading technique is what makes the malware fileless. By loading from an executable hidden in memory rather than a system disk, this can make detection by traditional antivirus software more difficult to achieve.” Bladabindi uses code protection software to protect its files, which is written in .NET, to make Bladabindi harder to understand. The RAT uses Autolt, which is a free-scripting language whose original intention was for “PC roll-out” and had the ability to configure every PC in one go for a company. In this case, Bladabindi is using Autolt to compile the malware. The main script for the malware is loaded into a single executable. Researchers stated that by doing this “[This] can make the payload — the backdoor — difficult to detect.” The variant acts as an information-stealing system and backdoor with capabilities that include capturing webcam footage, hijacking credentials during browser sessions, downloading and executing files, and keylogging. Once the backdoor is executed, a firewall rule will be created which will then allow PowerShell to be added to the list of acceptable programs on the infected device. The stolen information will be sent to the attacker’s C&C server, which allows them to view the stolen information and do what they want with it.
Analyst Notes
To prevent an attack like this, users can restrict and secure the use of removable USB functionality if removable media is still used. Users can also monitor endpoints, gateways, networks, and servers for abnormal behavior. If a user finds that they have been affected, they should change their passwords and monitor for any personal information that the attackers could have gained access to.
