Search This Blog

Ring Ø Labs DOES NOT advocate using any of the malware, techniques, or information presented here for harm and doing so may violate the law. These topics are for mitigation and educational purposes only. We also employ browser mining to reduce the need for ADs. Read more about us here

Saturday, July 8, 2017

Bladabindi RAT

OO.exe is a Remote Access Trojan (RAT) known as Bladabindi written in .NET. This is sometimes associated with NJRAT and has been modified heavily over the last several years.





RING Ø LABS
Malware Report

DETAILS

When executed, OO.exe will copy and execute itself in the %TEMP% directory, setup persistence (see persistence), and kill the original executable . The program will then add a firewall rule with the following command:

netsh firewall add allowedprogram "[malware path]" "[malware name]" ENABLE

Once network access has been achieved, the trojan will beacon to the C&C server found in it’s configuration. The configuration for the current file contains various parameters to include current MUTEX and the C&C IP/Port. These settings can be found near offset 0x4a9a as depicted in the image to the right.


The trojan’s initial beacons contain limited system survey information (left image). The next packet contains the implant’s current configuration settings (right image - Shown B64 decoded).



When the trojan successfully connects to the C&C server it can perform the following RAT functionality:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • send the list of running processes to a remote computer
  • terminate running processes
  • execute shell commands
  • delete Registry entries
  • create Registry entries
  • capture screenshots


DROPPED FILES

C:\Users\User\AppData\Local\Temp\OO.exe


PERSISTENCE

C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OO.exe
OR
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\[path-to-malware\OO.exe]



NETWORK PROTOCOL ANALYSIS

The Bladabindi trojan communicates via TCP, does not authenticate with the C&C, and does not use any obfuscation/encryption aside from Base64 in some fields.

The first 4 bytes represent packet length [TotalPacketLength - 4] in ASCII. The ASCII number takes up the first 3 bytes and must be NULL terminated at the 4th byte.


The next set of bytes contain a command sent to the implant from the controller. In my testing this field ranged from 2 to 4 bytes and used ASCII characters (see command table below).


The next field represents a custom delimiter for separating commands/data/parameters. In my testing this always contained the ASCII string |’|’| and is most likely configurable via the implant’s settings. The number of delimiters vary depending on the command. In the following example we see 3 parameters being passed to the implant [ ~, examples, 1234 ].




NETWORK PROTOCOL COMMAND TABLE

Disassembling Bladabindi reveals the command table function “Ind”. Many of the commands were implemented through dynamic network analysis. Some command functionality was determined through code analysis and not replication.




NETWORK VULNERABILITY

The network protocol used by this RAT is easily interpreted using common techniques. The lack of authentication with the C&C and the failure to employ basic encryption/obfuscation leaves this RAT vulnerable to tampering/exploitation.  



DETECTION

The following indicators were uploaded to AlienVault for blocking:



The following SNORT Signature will detect Bladabindi network communications.

alert tcp any any -> any any ( msg:"Bladabindi RAT Network Traffic";  pcre:"/^[0-9]{3}\0[a-zA-Z]{2,4}\|'\|'\|/"; )



CONCLUSION

The Bladabindi RAT is very malicious, but it isn’t special. It employs common persistence techniques, is heavily detected by Antivirus engines, and its functionality is mirrored by nearly every RAT on the market. The real danger with this trojan is its susceptibility to remote exploitation by other actors.


FILE DETAILS

Filename
SERVER.exe
Packer
None
Hash
22e7c961504b78aefa4ab6b0398ef583
Type
Remote Access Trojan (NJRAT)
Sample