Last week, a worm was used to spread via removable drives and install a fileless version of the BLADABINDIbackdoor. BLADABINDI is notable as a remote access tool (RAT) used for multiple backdoor capabilities and used for keylogging and DDoS threats.
According to Trend Micro, the propagation routine suggests the the malware likely enters its target systems via removable drives. The worm also uses AutoIT (the FileInstallcommand) to compile the malicious payload and script into a single executable, making it harder to detect.
The worm also uses an “auto-run” registry entry (i.e., HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) named AdobeMX used to execute a PowerShell script and deliver the malicious executable as fileless malware from memory. The threat is not loaded from the local system’s hard drive.
Trend Micro also said the payload (BLADABINDI/njRAT) uses water-boom[.]duckdns[.]org as its command-and-control (C&C) server, over port 1177. The C&C’s URL also uses dynamic domain name system (DNS), potentially used by attackers to disguise their server’s actual IP address or dynamically update if needed.
Give the significant threat, Trend Micro recommends users and businesses restrict and secure the use of removable media, as well as limit use of PowerShell on endpoints with sensitive data.
Organizations should also proactively monitory their gateways, endpoints, networks and servers for suspicious activities (e.g., C&C communications or data theft), as well as use anti-malware solutions.