New Bladabindi variant being distributed via a worm in a recent campaign

• Bladabindi, also known as njRAT/Njw0rm, has been repurposed and used in various cyberespionage campaigns in the past.
• Bladabindi is a remote access trojan that contains various backdoor capabilities and can also carry out keylogging and DDoS attacks.

A new variant of the Bladabindi malware, also known as njRAT/Njw0rm, is currently being distributed via a worm in a new campaign. Bladabindi is a remote access trojan that contains various backdoor capabilities and can also carry out keylogging and DDoS attacks. The malware has been repurposed and used in various cyberespionage campaigns in the past.

The new variant of the RAT, Worm.Win32.BLADABINDI.AA., spread via removable drives and installs a fileless variant of the Bladabindi backdoor. According to security experts at Trend Micro, who discovered the new campaign, apart from hiding itself in a removable drive, the malware also creates a registry called AdobeMX to maintain persistence. This, in turn, executes a PowerShell to install the backdoor malware. This malware loading technique can make detection quite challenging.

“The variant of the BLADABINDI backdoor uses water-boom[.]duckdns[.]org as its command-and-control (C&C) server, on port 1177. As with other and previous iterations of BLADABINDI, this fileless version’s C&C-related URL uses dynamic domain name system (DNS). This could potentially allow the attackers to hide the server’s actual IP address or change/update it as necessary,” Trend Micro researchers said in a report.

Bladabindi comes with a variety of data-stealing capabilities. It can steal browser credentials, capture webcam footage, as well as download additional malicious files.

Researchers believe that Bladabindi’s propagation techniques make it a significant threat. Those who use removable drives are advised to implement healthy security practices and proactively monitor endpoints, gateways, networks and servers for any suspicious activities.