A windows worm propagating through removable drives has been observed by Trend Micro spreading theBLADABINDI Trojan with backdoor , DDoS and RAT capabilities.
The BLADABINDI Trojan has been used in multiple cyberespionage campaigns because of high adaptability which allows bad actors to tailor it for specific targets, seeing that it can be used as a backdoor, for performing DDoS attacks when using it as a botnet, and for exfiltrating user info using its keylogger module.
Trend Micro spotted a new malware campaign which supposedly uses a Windows worm strain the security company dubbedWorm.Win32.BLADABINDI.AA to install a filelessversion of the BLADABINDI backdoor.
BLADABINDI uses the AutoIt scripting language to compile both its dropper script and the payload it drops on compromised machines while usingUPX packing to obfuscate itself making detection a lot harder.
Once the Trojan reaches a new system, it will look for and delete Tr.exe binaries from the temp folder and installs its version of it, while also making sure it achieves persistence by copying itself into the Windows Startup folder and creating anAdobeMX registry entry which usesreflective loading to load the malware from memory.ThisBLADABINDI variant uses multiple techniques to achieve persistence
Loading the malware from the system memory makes BLADABINDI a fileless malware allowing it to go undetected by anti-malware solutions that only scan the system drives.
"Since the executable is loaded directly from the registry to the memory of PowerShell, we were able to dump the specific address where the malicious executable is located," said Trend Micro in their analyis. "And we found out that it is .NET-compiled, which uses a commercial code protector software for obfuscation."
This BLADABINDI strain comes with multiple backdoortools fromkeylogging andstealing credentials from web browsers to retrieving and executing files.
The fact that thisBLADABINDI variant uses removable drives to spread itself makes it especially dangerous for enterprises and users who use such devices to share documents.
"Restrict and secure the use of removable media or USB functionality, or tools like PowerShell (particularly on systems with sensitive data), and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators such as C&C communication and information theft," advises Trend Micro.