Autolt-Compiled Worm Affecting Removable Media Drivers Fileless Version of BLADABINDA/njRAT Backdoor
(Nov 27, 2018)
A variant of the “BLADABINDI” (njRAT, Njw0rm) Remote Access Trojan (RAT) has been observed to be distributed through a worm that propagates through removable drives, according to Trend Micro researchers. The worm’s objective is to install a fileless version of the BLADABINDI backdoor that has multiple capabilities including Distributed Denial-of-Service (DDoS) attacks and keylogging, among others. As of this writing, it is unknown how the worm actually arrives on a machine. Researchers note that the use of “Autolt” (the FileInstall command) to compile the RAT payload makes BLADABINDI difficult to detect.
Recommendation: Ensure endpoints are secure with updated patches; also make sure users have only standard user accounts and not privileged ones, and use endpoint antimalware tools to protect devices. These steps need to be completed using a defense-in-depth approach by scanning network connections and email for malware. This will help reduce the chance that the malware will be able to get on the endpoint and execute.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.