Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Worm Using Removable Drives to Distribute BLADABINDI Backdoor

0
0

A newly detected worm is propagating through removable drives to distribute a fileless variant of the BLADABINDI backdoor.

In mid-November, researchers at Trend Micro first observed the worm, which the security firm detects as “Worm.Win32.BLADABINDI.AA.” They’re still investigating the threat’s exact method for infecting a system. But after analyzing its propagation routine, the researchers determined that the worm likely propagates and enters a system through removable drives. Specifically, they spotted the worm installing a hidden copy of itself on any removable drive connected to the infected system.

Trend Micro found that the worm was using AutoIt to compile the payload and main script into a single executable, thereby complicating detection. With the help of an AutoIt script decompiler, the researchers identified the worm’s use of an auto-run registry that employs PowerShell to load the encoded executable as a fileless threat from memory and not from the system’s disks.


Worm Using Removable Drives to Distribute BLADABINDI Backdoor
Screenshots showing PowerShell loading the encoded executable. (Source: Trend Micro) The loaded executable, a variant of the BLADABINDI backdoor, uses port 1177 to connect to its command-and-control (C&C) server at water-boom[.]duckdns[.]org. This URL uses dynamic domain name system (DNS), which allows attackers to change or update the server’s IP address.

After creating a firewall policy allowing PowerShell, BLADABINDI then enables attackers to activate a keylogger, execute files and steal credentials from web browsers.

Trend Micro doesn’t downplay the threat posed by BLADABINDI, malware which previously preyed on wannabe attackers’ interest in cracking a target’s Facebook account. As the security firm’s researchers explained in a blog post :

The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat. Users and especially businesses that still use removable media in the workplace should practice security hygiene.

Organizations can ensure (Read more...)


Viewing all articles
Browse latest Browse all 12749