Bladabindi RAT

malware analysis bladabindi njrat trojan
OO.exe is a Remote Access Trojan (RAT) known as Bladabindi written in .NET. This is sometimes associated with NJRAT and has been modified heavily over the last several years.
Filename
OO.exe
MD5
22e7c961504b78aefa4ab6b0398ef583
Video
None

DETAILS

When executed, OO.exe will copy and execute itself in the %TEMP% directory, setup persistence (see persistence), and kill the original executable . The program will then add a firewall rule with the following command:
  • netsh firewall add allowedprogram "[malware path]" "[malware name]" ENABLE

 Once network access has been achieved, the trojan will beacon to the C&C server found in it’s configuration. The configuration for the current file contains various parameters to include current MUTEX and the C&C IP/Port. These settings can be found near offset 0x4a9a as depicted in the image to the right.


The trojan’s initial beacons contain limited system survey information (left image). The next packet contains the implant’s current configuration settings (right image - Shown B64 decoded).



When the trojan successfully connects to the C&C server it can perform the following RAT functionality:
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • send the list of running processes to a remote computer
  • terminate running processes
  • execute shell commands
  • delete Registry entries
  • create Registry entries
  • capture screenshots

DROPPED FILES

  • C:\Users\User\AppData\Local\Temp\OO.exe

PERSISTENCE

  • C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OO.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\[path-to-malware\OO.exe]

NETWORK PROTOCOL ANALYSIS


The Bladabindi trojan communicates via TCP, does not authenticate with the C&C, and does not use any obfuscation/encryption aside from Base64 in some fields.


The first 4 bytes represent packet length [TotalPacketLength - 4] in ASCII. The ASCII number takes up the first 3 bytes and must be NULL terminated at the 4th byte.


The next set of bytes contain a command sent to the implant from the controller. In my testing this field ranged from 2 to 4 bytes and used ASCII characters (see command table below).


The next field represents a custom delimiter for separating commands/data/parameters. In my testing this always contained the ASCII string |’|’| and is most likely configurable via the implant’s settings. The number of delimiters vary depending on the command. In the following example we see 3 parameters being passed to the implant [ ~, examples, 1234 ].



NETWORK PROTOCOL COMMAND TABLE

Disassembling Bladabindi reveals the command table function “Ind”. Many of the commands were implemented through dynamic network analysis. Some command functionality was determined through code analysis and not replication.




NETWORK VULNERABILITY

The network protocol used by this RAT is easily interpreted using common techniques. The lack of authentication with the C&C and the failure to employ basic encryption/obfuscation leaves this RAT vulnerable to tampering/exploitation.

DETECTION

The following SNORT Signature will detect Bladabindi network communications.
  • alert tcp any any -> any any ( msg:"Bladabindi RAT Network Traffic"; pcre:"/^[0-9]{3}\0[a-zA-Z]{2,4}\|'\|'\|/"; )

CONCLUSION

The Bladabindi RAT is very malicious, but it isn’t special. It employs common persistence techniques, is heavily detected by Antivirus engines, and its functionality is mirrored by nearly every RAT on the market. The real danger with this trojan is its susceptibility to remote exploitation by other actors.