Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
This month the Malicious Software Removal Tool (MSRT) includes a new malware family - MSIL/Bladabindi. An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download.
Because of this, there are many variants in this family, and they spread in many different ways, such as Facebook message and hacked websites. Once installed, malware in this family can be used to take control of a PC and steal sensitive information. We added Bladabindi to the MSRT due to its prevalence throughout 2013.
Figure 1: Telemetry data showing the prevalence of Bladabindi
Bladabindi variants can be created by using the Remote Access Tool (RAT) known as "NJ Rat". We detect this RAT as VirTool:MSIL/Bladabindi.A. Bladabindi can also be downloaded by recent variants of Jenxcus family, which likely has the same author as Bladabindi.
Recently its author released a dedicated downloader to download Bladabindi and run it directly from memory - we detect this as TrojanDownloader:MSIL/Bladabindi.A.
Bladabindi variants are usually installed with an enticing name and icon to trick people into running it. The following are some sample file names:
Below are some sample icons:
Figure 2: Some file icons used by Bladabindi
From information we collected, it seems Bladabindi's author tries to show their ability to develop malware, to help their chances of being hired on to other projects. They even use the following picture (showing infected machines) as the header photo of their Twitter page.
Figure 3: Bladabindi author's Twitter page
Though there is no direct evidence connecting the author, distributor, and online account owner associated with the malware, the same user name is consistently used across multiple forums and social media. Do you remember the infamous Win32/Hupigon worm? - Another case where a malware author wrote a backdoor, but claims they didn't distribute it.
As usual, the best protection from Bladabindi, and other malware or potentially unwanted software is to have up-to-date security software installed and being aware of the risks of social engineering.
Zhitao Zhou, Steven Zhou, and Francis Allan Tan SengMMPC