Threat Management, Malware

Malicious developer creates wormable, fileless variant of njRAT

Researchers last week detected a new, fileless version of the malicious remote access tool njRAT that propagates as a worm via removable drives.

Also known as BLADABINDI or njw0rm, the njRAT acts as a backdoor, capable of cyber espionage, keylogging, distributed denial of service attacks, retrieving and executing files, and stealing credentials from web browsers.

This particular variant, identified as Worm.Win32.BLADABINDI.AA, leverages AutoIt, a free automation script language for Windows, to compile the final payload and the main script into one executable. The technique makes the ultimate payload difficult to detect, Trend Micro threats analyst Carl Maverick R. Pascual reported today in a company blog post.

An analysis of the executable's script determined that it deletes any file named Tr.exe from the %TEMP% directory and replaces it with its own malicious version, plus a copy of itself. All additional files downloaded from the C2 server, which is located at water-boom [.]duckdns[.]org, will also be stored in the %TEMP% folder.

The dropped Tr.exe file is actually a second AutoIt-compiled script that contains yet another executable, this one base-64 encoded. Tr.exe "will use an auto-run registry... named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading," states the blog post," meaning that the executable will load from memory instead of via the system's disks.

Worm.Win32.BLADABINDI.AA is similar to its predecessors in that its C&C-related URL uses the dynamic domain name system service. Pascual believes this could be to allow the attackers "to hide the server’s actual IP address or change/update it as necessary."

"The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat," the blog post concludes. "Users and especially businesses that still use removable media in the workplace should practice security hygiene. Restrict and secure the use of removable media or USB functionality, or tools like PowerShell... and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators such as C&C communication and information theft." Trend Micro also recommends employing an endpoint solution that can detect fileless malware attacks through behavior monitoring.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds