A new worm has been discovered which spreads a modern variant of the remote access tool (RAT) Bladabindi.
According to researchers from Trend Micro, the worm spreads Bladabindi -- also known as njRAT/Njw0rm -- in a fileless form by propagating through removable drives and storage.
In a blog post on Tuesday, the cybersecurity team said Bladabindi has been recompliled, refreshed, and rehashed for years, leading to its presence in countless cyberespionage campaigns.
The worm which is now spreading a modern variant of Bladabindi is detected as Worm.Win32.BLADABINDI.AA.
Bladabindi hides a copy of itself on any removable drives connected to an infected system and will also create a registry entry called AdobeMX to maintain persistence. This entry will execute a PowerShell script to load the malware via reflective loading.
This loading technique is what makes the malware fileless. By loading from an executable hidden in memory rather than a system disk, this can make detection by traditional antivirus software more difficult to achieve.
The Bladabindi file itself is compiled in .NET and uses code protection software to further obfuscate the malicious code.
Also of note is the malware's use of AutoIt, a freeware scripting language for the Windows operating system which was originally intended for PC "roll out" scenarios to configure thousands of systems in one go.
In this case, AutoIt is abused as a malware compiler, with the main script loaded into a single executable.
"[This] can make the payload -- the backdoor -- difficult to detect," the researchers say.
It is not known how the new variants of Bladabindi spread to core, infected systems, but older versions of the malware have previously been detected in phishing campaigns. These variants -- which were file-based -- also permitted users to choose icons designed to mislead victims into executing the malicious code and would store itself in temporary Windows folders.
TechRepublic: Top security tips revealed by industry experts
The Bladabindi RAT acts as a data-stealing system and backdoor and is capable of keylogging, the theft of credentials during browser sessions, capturing webcam footage, and both the download and execution of files.
Once the backdoor element is executed, a firewall policy is created which adds the PowerShell process to a list of acceptable programs.
Stolen information is sent to the attacker's command-and-control server (C2) serverwater-boom[.]duckdns[.]org on port 1177. However, the malware uses a dynamic domain name system and so this can be changed or updated at any time.
In 2016, Fortinet uncovered 166 Bladabindi samples related to hopto.org and myftp.biz, two domains used to maintain a connection to C2 servers.
The introduction of a fileless version of well-known malware is of concern. According to the Ponemon Institute, zero-day vulnerabilities and fileless attacks are now the most dangerous threats to enterprise companies.
"Users and especially businesses that still use removable media in the workplace should practice security hygiene," Trend Micro concluded. "Restrict and secure the use of removable media or USB functionality, or tools like PowerShell (particularly on systems with sensitive data), and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators such as C&C communication and information theft."