Be aware! Bladabindi has been recompiled, refreshed, and rehashed!
Researchers discovered a new worm, Worm.Win32.BLADABINDI.AA, which spreads a modern variant of the remote access tool (RAT) Bladabindi. This RAT malware has been around for years making victims in countless cyberespionage campaigns; it is capable of keylogging, spying, and far more.
Bladabindi modus operandi is hiding a copy of itself on any removable drives connected to an infected system and will also create a registry entry called AdobeMX to maintain persistence. This entry is used to execute a PowerShell script that will load the malware via reflective loading.
In fact, this loading technique is what makes the malware fileless. By becoming fileless the malware can avoid being detected by the traditional antivirus software.
After running a malware analysis on this new worm researchers found that the Bladabindi file itself is compiled in .NET and uses code protection software to further obfuscate the malicious code. Furthermore the malware abuse AutoIt – a freeware scripting language for the Windows OS – as a malware compiler.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
For now, it is unknown how the new variants of Bladabindi spread to the core, infecting systems.
The Bladabindi RAT acts as spyware/backdoor which is capable of keylogging, theft of credentials during browser sessions, capturing webcam footage, and both the download and execution of files. When its backdoor feature is executed, a firewall policy is created which adds the PowerShell process to a list of acceptable programs. All the stolen information are delivered to hacker’s command-and-control server (C2) serverwater-boom.duckdns.org on port 1177.
This fileless version of the well-known malware represents a big cybersecurity threat. Researchers are saying that zero-day vulnerabilities and fileless attacks are now the most dangerous threats to enterprise companies.
Experts recommend that users and especially businesses that still use removable media in the workplace to practice security hygiene. In order to do that they all have to restrict and secure the use of removable media or USB functionality, tools like PowerShell, and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators like C&C communication and information theft.
Keep in mind that our modern society is dependent on computers, mobile devices, and the use of the internet always stay safe and secured.
We would continue to monitor the cybersecurity world. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.