Monday, February 18, 2019
  • Shmoo Con 2019, EVM’s ‘A Code Pirate’s Cutlass: Recovering Software Architecture From Embedded Binaries’
  • Fear of Data Breaches Driving Big Businesses to Raise Spending on IT in 2019, Survey Shows
  • Changes to CompTIA’s A+ Exam (220-901 and 220-902 / 220-1001 and 220-1002)
  • Microsoft MCSE Exam Review
  • Popular Torrents Uploader Caught Sharing ‘GandCrab’ Ransomware

Security Boulevard

The home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming
    • On-Demand
  • Chats
    • CISO Conversations
  • Library

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Data Security SBN News Security Bloggers Network 

Home » Cybersecurity » Data Security » Worm Using Removable Drives to Distribute BLADABINDI Backdoor

Worm Using Removable Drives to Distribute BLADABINDI Backdoor

by David Bisson on November 27, 2018

A newly detected worm is propagating through removable drives to distribute a fileless variant of the BLADABINDI backdoor.

In mid-November, researchers at Trend Micro first observed the worm, which the security firm detects as “Worm.Win32.BLADABINDI.AA.” They’re still investigating the threat’s exact method for infecting a system. But after analyzing its propagation routine, the researchers determined that the worm likely propagates and enters a system through removable drives. Specifically, they spotted the worm installing a hidden copy of itself on any removable drive connected to the infected system.

Trend Micro found that the worm was using AutoIt to compile the payload and main script into a single executable, thereby complicating detection. With the help of an AutoIt script decompiler, the researchers identified the worm’s use of an auto-run registry that employs PowerShell to load the encoded executable as a fileless threat from memory and not from the system’s disks.

Screenshots showing PowerShell loading the encoded executable. (Source: Trend Micro)

The loaded executable, a variant of the BLADABINDI backdoor, uses port 1177 to connect to its command-and-control (C&C) server at water-boom[.]duckdns[.]org. This URL uses dynamic domain name system (DNS), which allows attackers to change or update the server’s IP address.

After creating a firewall policy allowing PowerShell, BLADABINDI then enables attackers to activate a keylogger, execute files and steal credentials from web browsers.

Trend Micro doesn’t downplay the threat posed by BLADABINDI, malware which previously preyed on wannabe attackers’ interest in cracking a target’s Facebook account. As the security firm’s researchers explained in a blog post:

The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat. Users and especially businesses that still use removable media in the workplace should practice security hygiene.

Organizations can ensure (Read more...)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/worm-using-removable-drives-to-distribute-bladabindi-backdoor/

November 27, 2018November 27, 2018 David Bisson backdoor, BLADABINDI, IT Security and Data Protection, Latest Security News, worm
  • ← IRISSCON 2018 Recap
  • Together Thycotic & IBM Deliver Next-Generation Privileged Access Management →
Featured Blog

Verodin Blog

Security Instrumentation for the Casino & Gaming Industry by Brian Contos

Verodin Blog

The Transformation of Talent & Technology by Kevin Morrison

Verodin Blog

Instrumenting Carbon Black with Verodin SIP

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy

Most Read on the Boulevard

Dispelling the ‘Security as Bad Guy’ Myth
DevOps Chat: Shifting DevSec Left with ShiftLeft – RSAC Edition
The Cryptojacking Boom May Be Over, but the Threat Remains
New Shlayer Malware Variant Targeting Macs
Consumer Privacy in Question Over Ring Video Files
Cybersecurity Science Project or Immediate Value: Which Do You Prefer?
Ransomware attack on MSPs exploits popular PSA/RMM Tool
How to Defend Against The runC Container Vulnerability
How Hackable Is Your Dating App?
Backend Office 365™ with LDAP?

Upcoming Webinars

Tue 26

Reducing Risk of Credential Compromise at Netflix

February 26 @ 1:00 pm - 2:00 pm
Apr 01

Container Security: Securing from Within

April 1 @ 1:00 pm - 2:00 pm

More Webinars

Download Free eBook

Next-Generation Cybersecurity

Recent Security Boulevard Chats

  • Cloud, DevSecOps and Network Security, All Together?
  • Security-as-Code with Tim Jefferson, Barracuda Networks
  • ASRTM with Rohit Sethi, Security Compass
  • Deception: Art or Science, Ofer Israeli, Illusive Networks
  • Tips to Secure IoT and Connected Systems w/ DigiCert

Industry Spotlight

Cybersecurity Issues in Mobile App Development
Cybersecurity Industry Spotlight Mobile Security Security Boulevard (Original) 

Cybersecurity Issues in Mobile App Development

February 18, 2019 Ritesh Patil | 8 hours ago 0
What is Data in Vicinity?
Cybersecurity Endpoint Industry Spotlight Security Boulevard (Original) 

What is Data in Vicinity?

February 15, 2019 Mike Fong | 3 days ago 0
The Cryptojacking Boom May Be Over, but the Threat Remains
Cybersecurity Industry Spotlight Network Security Security Boulevard (Original) 

The Cryptojacking Boom May Be Over, but the Threat Remains

February 14, 2019 Jeremy Moskowitz | 4 days ago 0

Top Stories

WordPress Sites Hacked Through Vulnerable Payment Forms Plug-in
Data Security DevOps Featured Identity & Access News Security Boulevard (Original) Spotlight Vulnerabilities 

WordPress Sites Hacked Through Vulnerable Payment Forms Plug-in

February 15, 2019 Lucian Constantin | 2 days ago 0
New Shlayer Malware Variant Targeting Macs
Endpoint Featured Malware News Security Boulevard (Original) Spotlight Threats & Breaches Vulnerabilities 

New Shlayer Malware Variant Targeting Macs

February 14, 2019 Lucian Constantin | 3 days ago 0
IBM Warns Retailers of Trojan Threat
Application Security Cloud Security Cybersecurity Featured Network Security News Security Boulevard (Original) Spotlight Threats & Breaches 

IBM Warns Retailers of Trojan Threat

February 12, 2019 Michael Vizard | Feb 12 0

Security Humor

via  Luke Kingma and Lou Patrick-Mackay at  Futurism Cartoons

Luke Kingma and Lou Patrick-Mackay’s Futurism: “Here’s The Story Of A Failed Group FaceTime”

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: info@securityboulevard.com

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • Privacy Policy

Other Mediaops Sites

  • Container Journal
  • DevOps.com
  • DevOps Connect
  • DevOps Institute
Copyright © 2019 MediaOps Inc. All rights reserved.

Our website uses cookies. By continuing to browse the website you are agreeing to our use of cookies. For more information on how we use cookies and how you can disable them, please read our Privacy Policy.