BACK

AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor

AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoorby Carl Maverick R. Pascual (Threats Analyst) BLADABINDI, also known as njRAT/Njw0rm, is a remote access tool (RAT) with a myriad of backdoor capabilities — from keylogging to carrying out distributed denial of service (DDoS) — and has been rehashed and reused in various cyberespionage …

  • 27 Nov 2018
5 min read
AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor
by Carl Maverick R. Pascual (Threats Analyst) BLADABINDI, also known as njRAT/Njw0rm, is a remote access tool (RAT) with a myriad of backdoor capabilities — from keylogging to carrying out distributed denial of service (DDoS) — and has been rehashed and reused in various cyberespionage campaigns since it first emerged. Indeed, BLADABINDI’s customizability and seeming availability in the underground make it a prevalent threat. Case in point: Last week, we came across a worm (detected by Trend Micro as Worm.Win32.BLADABINDI.AA) that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor. While it is still unknown how the malicious file actually arrives in the infected system, its propagation routine suggests that it enters systems through removable drives. Apart from being a flexible and easy-to-use scripting language, BLADABINDI’s use of AutoIt is notable. It uses AutoIt (the FileInstall command) to compile the payload and the main script into a single executable, which can make the payload — the backdoor — difficult to detect. Figure 1: Screenshot showing a common indicator of a compiled AutoIt script (highlighted) Technical analysisWe used an AutoIt script decompiler to break down the executable’s AutoIt script and found that the script’s main function first deletes any file named Tr.exe from the system’s %TEMP% directory so it can install its own version of Tr.exe on it. The dropped file is executed after terminating any process with the same name. It will also drop a copy of itself in the same directory. For persistence, it adds a shortcut for the file at the %STARTUP% directory. For propagation, it installs a hidden copy of itself on any removable drive found on the infected system. It will also drop a shortcut file (.LNK) and move all original files of the removable drive from its root to a created folder named sss. Figure 2: Code snapshot showing the decompiled script Figure 3: Code snapshot showing how the AutoIt’s FileInstall command is used to bundle an AutoIt script with any file then load the file during the script’s execution Figure 4: Code snapshots showing how the shortcut is added (top) and how it propagates through removable drives (bottom) The dropped Tr.exe is actually another AutoIt-compiled executable script (Trojan.Win32.BLADABINDI.AA). Decompiling it reveals that it contains a base-64 encoded executable, which it will write in a registry value named Valuex in the registry HKEY_CURRENT_USERSoftware. It will also create another value for persistence. It will use an auto-run registry (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading (loading an executable from memory rather than from the system’s disks). Since the executable is loaded directly from the registry to the memory of PowerShell, we were able to dump the specific address where the malicious executable is located. And we found out that it is .NET-compiled, which uses a commercial code protector software for obfuscation. Figure 5: Screenshots showing PowerShell loading the encoded executable BLADABINDI/njRAT payloadThe variant of the BLADABINDI backdoor uses water-boom[.]duckdns[.]org as its command-and-control (C&C)
Source: TrendLabs Security Intelligence BlogPublished on 2018-11-27
Blog Details
  • 27 Nov 2018

Newest Articles.

View all

Get a Quote

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you as soon as possible.

Buy Cyber Essentials

price-popup-pattern