silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,165
According to researchers from Trend Micro, the worm spreads Bladabindi -- also known as njRAT/Njw0rm -- in a fileless form by propagating through removable drives and storage.
In a blog post on Tuesday, the cybersecurity team said Bladabindi has been recompliled, refreshed, and rehashed for years, leading to its presence in countless cyberespionage campaigns.
The worm which is now spreading a modern variant of Bladabindi is detected as Worm.Win32.BLADABINDI.AA.
Bladabindi hides a copy of itself on any removable drives connected to an infected system and will also create a registry entry called AdobeMX to maintain persistence. This entry will execute a PowerShell script to load the malware via reflective loading.
This loading technique is what makes the malware fileless. By loading from an executable hidden in memory rather than a system disk, this can make detection by traditional antivirus software more difficult to achieve.