A newly detected worm is propagating through removable drives to distribute a fileless variant of the BLADABINDI backdoor. In mid-November, researchers at Trend Micro first observed the worm, which the security firm detects as "Worm.Win32.BLADABINDI.AA." They're still investigating the threat's exact method for infecting a system. But after analyzing its propagation routine, the researchers determined that the worm likely propagates and enters a system through removable drives. Specifically, they spotted the worm installing a hidden copy of itself on any removable drive connected to the infected system. Trend Micro found that the worm was using AutoIt to compile the payload and main script into a single executable, thereby complicating detection. With the help of an AutoIt script decompiler, the researchers identified the worm's use of an auto-run registry that employs PowerShell to load the encoded executable as a fileless threat from memory and not from the system's disks.
Screenshots showing PowerShell loading the encoded executable. (Source: Trend Micro) The loaded executable, a variant of the BLADABINDI backdoor, uses port 1177 to connect to its command-and-control (C&C) server at water-boom[.]duckdns[.]org. This URL uses dynamic domain name system (DNS), which allows attackers to change or update the server's IP address. After creating a firewall policy allowing PowerShell, BLADABINDI then enables attackers to activate a keylogger, execute files and steal credentials from web browsers. Trend Micro doesn't downplay the threat posed by BLADABINDI, malware which previously preyed on wannabe attackers’ interest in cracking a target’s Facebook account. As the security firm's researchers explained in a blog post:
The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat. Users and especially businesses that still use removable media in the workplace should practice security hygiene.
Organizations can ensure this level of security hygiene with the help of the Center for Internet Security's Critical Security Controls. Specifically, they can use Control 8 to to configure anti-malware scanning of removable media. They can also use Control 13 to manage the system's external removable media's read/write configurations.
