Installation
Bladabindi variants can be created using a malicious hacker tool known as NJ Rat. We detect NJ Rat as VirTool:MSIL/Bladabindi.A.
NJ Rat is publicly available and lets a malicious hacker choose the icon of the malware file it creates. This means Bladabindi can have any number of icons designed to mislead you into running the file.
The following are some sample file icons used by Bladabindi:.
The threat copies itself to one of the following locations with a variable name, for example %TEMP%\svhost.exe:
It may copy itself to the following location to make sure it runs each time you start your PC:
It may also change the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<any string>" for example, "5cd8f17f4086744065eb0992a09e05a2", or “windowsupdate”
With data: “"%Dropped Folder%\<variable name>.exe" ..”, such as “”%APPDATA%\explorer.exe” ..”
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "<any string>" for example, "5cd8f17f4086744065eb0992a09e05a2", or “windowsupdate”
With data: “"%Dropped Folder%\<variable name>.exe" ..”, such as "%APPDATA%\explorer.exe” ..”
It may also create the following registry keys to mark its infection:
In subkey: HKCU
Sets value: "di"
With data: "!"
In subkey: HKLM\Software\<32 random alpha-numeric characters>, for example HKCU\Software\e668694b82065129bc2586215ad6b001
Sets value: “[kl]"
With data: "0"
In subkey: HKLM\Software\<32 random alpha-numeric characters>, for example HKCU\Software\e668694b82065129bc2586215ad6b001
Sets value: “US”
With data: "@"
It also runs net.exe to add itself to the firewall exclusion list and bypass your firewall.
Spreads via...
Spam emails
Variants in this family can be installed on your PC when you open a spam email and open an attachment or click a malicious link.
Removable drives
Some Bladabindi variants copy themselves to the root folder of a removable drive. They create a shortcut file with the name and folder icon of the drive. When you click on the shortcut the malware is launched and Windows Explorer is opened. This makes it seem as if nothing malicious happened.
The malicious file can also be downloaded by other malware, or spread though malicious links and hacked websites.
Backdoor:MSIL/Bladabindi can also be downloaded by recent variants of the Worm:VBS/Jenxcus family and a dedicated downloader that we detect as TrojanDownloader:MSIL/Bladabindi.A.
Payload
Steals sensitive information
Backdoor:MSIL/Bladabindi gives a malicious hacker backdoor access to your PC. This means they can steal your sensitive information, including:
- Your PC name, country and serial number
- Your Windows user name
- Your PC operating system version
Bladabindi variants can also steal information such as your:
- Chrome stored passwords
- DnyDNS information
- Firefox stored passwords
- IE 7 stored passwords
- No-ip/DUC information
- Opera stored passwords
- Paltalk credentials
The malware can also use your PC camera to record and steal your personal information. It checks for camera drivers and installs a DLL plugin so it can record and upload the video to a remote malicious hacker.
It can also log your keystrokes. This means a malicious hacker can get access to your user names and passwords. The collected data is saved in %TEMP%\<variable name>.exe.tmp and can then be uploaded to a remote server.
Accepts backdoor commands
Backdoor:MSIL/Bladabindi can also receive the following backdoor commands:
- Capture screenshots
- Compress data to be uploaded
- Connect to remote servers
- Download and run files
- Exit
- Load plugins dynamically
- Manipulate the registry
- Open a remote shell
- Ping a remote server
- Restart your PC
- Uninstall itself
- Update itself
The trojan can connect to remote servers to download and install updates or other malware. We have seen it connect to:
- fox2012.no-ip.org
- jn.redirectme.net
- moudidz.no-ip.org
- reemo.no-ip.biz
Additional information
Avoids detection
Backdoor:MSIL/Bladabindi uses various .NET obfuscators to hide its code.
It also makes itself a critical process to prevent it being stopped. Your system may crash with a stop code 0x000000F4 if the malware process is interrupted. This can make it hard to clean your PC when the malware is running.
Analysis by Zhitao Zhou and Francis Tan Seng