Researchers last week detected a new, fileless version of the malicious remote access tool njRAT that propagates as a worm via removable drives.
Also known as BLADABINDI or njw0rm, the njRAT acts as a backdoor, capable of cyber espionage, keylogging, distributed denial of service attacks, retrieving and executing files, and stealing credentials from web browsers.
This particular variant, identified as Worm.Win32.BLADABINDI.AA, leverages AutoIt, a free automation script language for Windows, to compile the final payload and the main script into one executable. The technique makes the ultimate payload difficult to detect, Trend Micro threats analyst Carl Maverick R. Pascual reported today in a company blog post.
An analysis of the executable’s script determined that it deletes any file named Tr.exe from the %TEMP% directory and replaces it with its own malicious version, plus a copy of itself. All additional files downloaded from the C2 server, which is located at water-boom [.]duckdns[.]org, will also be stored in the %TEMP% folder.
The dropped Tr.exe file is actually a second AutoIt-compiled script that contains yet another executable, this one base-64 encoded. Tr.exe “will use an auto-run registry… named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading,” states the blog post,” meaning that the executable will load from memory instead of via the system’s disks.
Worm.Win32.BLADABINDI.AA is similar to its predecessors in that its C&C-related URL uses the dynamic domain name system service. Pascual believes this could be to allow the attackers “to hide the server’s actual IP address or change/update it as necessary.”
“The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat,” the blog post concludes. “Users and especially businesses that still use removable media in the workplace should practice security hygiene. Restrict and secure the use of removable media or USB functionality, or tools like PowerShell… and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators such as C&C communication and information theft.” Trend Micro also recommends employing an endpoint solution that can detect fileless malware attacks through behavior monitoring.