Worm Using Removable Drives to Distribute BLADABINDI Backdoor

A newly detected worm is propagating through removable drives to distribute a fileless variant of the BLADABINDI backdoor.

In mid-November, researchers at Trend Micro first observed the worm, which the security firm detects as “Worm.Win32.BLADABINDI.AA.” They’re still investigating the threat’s exact method for infecting a system. But after analyzing its propagation routine, the researchers determined that the worm likely propagates and enters a system through removable drives. Specifically, they spotted the worm installing a hidden copy of itself on any removable drive connected to the infected system.

Trend Micro found that the worm was using AutoIt to compile the payload and main script into a single executable, thereby complicating detection. With the help of an AutoIt script decompiler, the researchers identified the worm’s use of an auto-run registry that employs PowerShell to load the encoded executable as a fileless threat from memory and not from the system’s disks.

The loaded executable, a variant of the BLADABINDI backdoor, uses port 1177 to connect to its command-and-control (C&C) server at water-boom[.]duckdns[.]org. This URL uses dynamic domain name system (DNS), which allows attackers to change or update the server’s IP address.

After creating a firewall policy allowing PowerShell, BLADABINDI then enables attackers to activate a keylogger, execute files and steal credentials from web browsers.

Trend Micro doesn’t downplay the threat posed by BLADABINDI, malware which previously preyed on wannabe attackers’ interest in cracking a target’s Facebook account. As the security firm’s researchers explained in a blog post:

The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat. Users and especially businesses that still use removable media in the workplace should practice security hygiene.

Organizations can ensure (Read more...)