variants can be created using a malicious hacker tool known as NJ Rat. We detect NJ Rat as VirTool:MSIL/Bladabindi.A.
NJ Rat is publicly available and lets a malicious hacker choose the icon of the malware file it creates. This means Bladabindi can have any number of icons designed to mislead you into running the file.
There are some sample file icons used by Bladabindi below.
When the malicious file is run Bladabindi will copy itself to one of following locations with a variable name, for example %TEMP%\svhost.exe:
It copies itself to the following location to make sure it runs each time you start your PC:
It also changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example, "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe"
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<32 random alpha-numeric characters>" for example "5cd8f17f4086744065eb0992a09e05a2"
With data: "%TEMP%\<variable name>.exe
It also runs net.exe to add itself to the firewall exclusion list and bypass your firewall.
Some Bladabindi variants copy themselves to the root folder of a removable drive. They create a shortcut file with the name and folder icon of the drive. When you click on the shortcut the malware is launched and Windows Explorer is opened. This makes it seems as if nothing malicious happened.
The malicious file can also be downloaded by other malware, or spread though malicious links and hacked websites.
Backdoor:MSIL/Bladabindi can also be downloaded by recent variants of the Worm:VBS/Jenxcus family and a dedicated downloader that we detect as TrojanDownloader:MSIL/Bladabindi.A.
Steals sensitive information
Backdoor:MSIL/Bladabindi gives a malicious hacker backdoor access to your PC. This means they can steal your sensitive information, including:
- Your PC name, country and serial number
- Your Windows user name
- Your PC operating system version
Bladabindi variants can also steal information such as your:
- Chrome stored passwords
- DnyDNS information
- Firefox stored passwords
- IE 7 stored passwords
- No-ip/DUC information
- Opera stored passwords
- Paltalk credentials
The malware can also use your PC camera to record and steal your personal information. It checks for camera drivers and installs a DLL plugin so it can record and upload the video to a remote malicious hacker.
The trojan can also log your keystrokes. This means a malicious hacker can get access to your user names and passwords. The collected data is saved in %TEMP%\<variable name>.exe.tmp and can then be uploaded to a malicious hacker.
Accepts backdoor commands
Backdoor:MSIL/Bladabindi can also receive the following backdoor commands:
- Capture screenshots
- Compress data to be uploaded
- Connect to remote servers
- Download and run files
- Load plugins dynamically
- Manipulate the registry
- Open a remote shell
- Ping a remote server
- Restart your PC
- Uninstall itself
- Update itself
The trojan can connect to remote servers to download and install updates or other malware. We have seen it connect to:
Backdoor:MSIL/Bladabindi uses various .NET obfuscators to hide its code.
It also makes itself a critical process to prevent it being stopd. Your system may crash with a stop code 0x000000F4 if the malware process is interrupted. This can make it hard to clean your PC when the malware is running.
Analysis by Zhitao Zhou and Francis Tan Seng