Bladabindi Malware Abusing Pastebin.com as Infection Vector

  • 1
    Share

Earlier, malware authors kept their payloads on Command and Control (C&C) servers or compromised websites. And to do this, they had to setup their C&C server or compromise a genuine website. But now, they don’t need to bother about such things, as they have started using genuine file sharing sites like “Pastebin.com” which allows user to store malware in plain-text. Pastebin.com is a well-known website where users can store plain text.

While analyzing malware samples, we found that the malware is downloading the “Base64” encoded text from pastebin.com. On decoding this Base64 data, we received an executable file which is the main payload of the malware. Most of these executables are from “Bladabindi” family.

The downloader enters into the user’s computer using various techniques like spam emails and social engineering. In this report, we will see how pastebin.com is misused with analysis of one malware sample.

Analysis of Bladabindi (MD5: 0C34D70FF9DD1BA3B7BFE9F4FBA8F010)

The file is an Auto-it installer. On execution, it drops two executable files at “C:\Documents and Settings\[user]\Local Settings” and executes the same. The dropped files are as follows:

  1. TempWinToFlash.exe: Genuine tool used to create bootable USB with any Windows Setup from a DVD/ISO
  2. TempWindows.exe: Copies itself in “%temp%” as system.exe and executes it. Now this system.exe downloads Base64 encoded file from “pastebin.com\download.php?i=pejXu40a” decodes it and injects the decoded executable in self-process. Thereafter, all activities are carried out by this downloaded file.

This Base64 Encoded file on Pastebin.com looks like the below figure 1.

Figure 1

Figure 1

After Base64 decode it is .Net file as below.

Figure 2

Figure 2

Activity of Main_Component.exe (In memory component)

This component is developed using Microsoft Visual Basic.Net.

Auto-run

It copies system.exe in “Startup” folder as 12ce4e06a81e8d54fd01d9b762f1b1bb.exe

Registry changes for Auto-run

It adds the following auto-run registry entry:

  1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

12ce4e06a81e8 d54fd01d9b762f1b1bb:  “%temp%\system.exe”

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

12ce4e06a81e8d54fd01d9b762f1b1bb : “%temp%\system.exe”

Other Registry Changes

It also adds the following registry entry:

HKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS = 1

Further it saves downloaded Base64 encoded data in registry such as:

HKEY_CURRENT_USER\Software\12ce4e06a81e8d54fd01d9b762f1b1bb\f8c065f4e758233f0d12dc9b8cf7a2ce = [Base64_Encoded_Main_Payload]

Bypass Firewall:

It executes the following command to bypass Firewall:

netsh firewall add allowedprogram  [Path_Of_system.exe] ENABLE

Main Activity

This backdoor gathers the following data and sends it to C&C server:

  • Computer name
  • User name
  • OS version
  • Date of installation

It provides the following RAT functionalities to the attacker:

  • Keylogging
  • Capturing screenshots
  • Bypassing Firewall
  • Process Management: start new process or kill any process
  • Registry Management: get or set registry key/value
  • Provides remote shell access to the attacker
  • Downloading and executing files
  • Updating current RAT
  • Compressing files for uploading
  • Deleting self-copies

The main payload of the virus saves all keystrokes in the registry as shown in figure 3.

Figure3

Figure3

Encryption and decryption

The malware sends all data in Base64 encoded format. Except files are uploaded after ZIP compression.

The backdoor supports following commands:

“CAP” Take screen shot and send it to C&C.
“kl” Sends key logged data in Base64 encoded format.
“rn” Download and execute file.
“un” + “~” Bypass firewall  by using

“netsh firewall delete allowedprogram \””.

“un” + “!” End current application.
“un” + “@” Start new process and end current application.
“Up” Update RAT downloads new file and replace it with current.
rss Remote shell
inf Send information of installed malware component like:

Installed volumes serial number, Auto run Registry Key, Exe Process with path, etc.

RG + “~” List all registry sub-keys and  values of specified registry key
RG +  “!” Set Registry value as specified key
RG +  “@” Delete value for specified Registry key
RG +  “#” Create Sub-Key for specified key
RG +  “$” Delete sub-key tree for specified registry key

 

Tricks used by the malware to avoid detection and cleaning

  1. Critical process

It makes itself as a critical process to prevent it from being stopped. The infected system may crash with a stop code 0x000000F4 if the malware process is interrupted. This can make it difficult to clean the computer when the malware is running.

  1. Registry resident non executable payload

Downloaded file is never saved on the disk, but it gets saved in the registry. The next time the system is booted, the downloaded file is read from the registry and decoded; the decoded executable is then injected into the system.exe process.

  1. Bypass automated analysis or make analysis difficult

The first component mentioned above (0C34D70FF9DD1BA3B7BFE9F4FBA8F010) is an auto-it installer. The Auto-It script contains the following code:

bladabindi 4

Due to this code, it will not show any malicious activity when any one of these monitoring tools is running. This enables the malware to bypass automated analysis. It also makes it difficult for analysts to manually analyze the sample.

Statistics about the “pastebin.com”

The main payload is stored in Base64 encoded format. We have found more than 100 Base64 encoded files on “pastebin.com”. Almost all of these files are malicious. Interestingly, 90% of them belong to the same malware family i.e., Bladabindi. The Bladabindi samples have been listed below:

File Name MD5(After Base64 Decryption) Date Uploaded No. of Downloads
maYGSJCE.txt d6970b1ecb80a3d547e8f4e02cee5398 24-Jan-16 1288
6A2bWaLW.txt 3bbcf3bd1da31a9db42016c4df579efe 7-Feb-16 46
etyinjbb.txt e52e16c23ae389045ce8f3016baf2917 9-Feb-16 60
ypi89T1N.txt 50bdce08a13587a9163d2e3e15038b3c 11-Feb-16 96
Kc063FLa.txt 0ca6c92280ca9f6c0d6f3de565102789 13-Feb-16 90
r73g5ZcQ.txt 6cafb49af51a081dfabea417ddf63382 15-Feb-16 17
4vkGXgMm.txt 0332726731694abcc3859ab31d910178 19-Feb-16 46
4UNdJehk.cs 777252b978e8fded255d87dd4e141865 25-Feb-16 49
g4TpnaQx.txt 291b7a2bccc2cd132a3a7ada301687ca 25-Feb-16 50
YyVDCPGF.txt e52c69649019a84e4f00616b029c4813 29-Feb-16 46
G4pyW8Nd.cs 6926608e7cf967597ab16a8e615a1295 1-Mar-16 48
PnTq9Tzu.txt 8c3906072e1767ce83fde2dcfb4ae5a0 4-Mar-16 41
sN33WjEs.txt c38f4c069940318236f265df4bf50369 6-Mar-16 43
7kmFXuv2.txt 8fc065c4e26c3088f4ee510d679fcb50 6-Mar-16 45
qgW3iaZd.txt e00d4bc57c9613d78b89c6175fa5c422 6-Mar-16 55
tNyvK9La.txt 5c6365694e219baaa93c964265a99d8e 10-Mar-16 46
QmYfNwMe.txt cbaebc74b7991028d8b0deb7a7feef5b 13-Mar-16 46
w8pR9Kx7.txt 54a00dce2b6150b991d69d72aa20f88f 27-Mar-16 61
WPveSANA.txt dd7971459d2f2436a2d7ded062560ebe 28-Mar-16 54
vbFuaG8B.txt e1d6994007b77db2137b3c37211da641 28-Mar-16 42
jKjxmp3H.txt 011b816123c586362ff84c40c5367e5f 28-Mar-16 47
JL0AhHvt.txt cfdd43745ada1e35e0d54a1c03372fc5 28-Mar-16 42
J7yDkhG4.cs 37087fb23720f2d153d5d93ff5ac2b02 28-Mar-16 47
FWy2Bwze.txt f712efdecf834da398a68ceb2b1066bc 28-Mar-16 50
d7b36SCq.txt b6029da18724abd87efbab6942cf2ad 28-Mar-16 50
b2S1QH7b.txt 4befc92ce3d59e7f91c29d967cb2e51 28-Mar-16 47
wWUCRtUn.txt 7B75861CCF60960CB7A4510F62DCC759 3-Aug-15 204
X9qT2gdv.txt B6E3214B8571667E9E6C8D949143A409 2-Aug-15 203
pMFr9T7Z.txt 95175B900A661E6517466ECDBB11F8EC 2-Aug-15 182
WSm8bhnD.txt 38C833ED93ECCB73EA652749AB5FF6D2 2-Aug-15 189
q6TcsD93.txt A7DE2A7A3E88EC73A6E5DDDAF1EBFEF4 1-Aug-15 211
5c4Gkx4s.txt 1DA67EB93E87C84F538D7070EB9EF946 1-Aug-15 229
gmePj6As.txt B31E511502634C47067B2247D487AE52 30-Jul-15 170
B0YtjY5d.txt 0C9F01C2417B8E45C51E29A544B5D8FE 30-Jul-15 212
SDfnfN22.txt 467DEE8AC854B9294D818900847EC986 30-Jul-15 182
UCNZ6vAT.txt D46A18E03CA59BD1F9925C70D3C537C1 29-Jul-15 192
bJWCCZcH.txt 712B9273724AFE942B52D31593EBC020 28-Jul-15 192
ziN2uncg.txt C4481C61E8FC87627E74B9E86DFA5984 22-Jul-15 195
zy7aQ0XC.txt 959E924082E4F6B12CFC802FD0E5E2CB 14-Jul-15 156
dcQbqCHN.txt E50FD6BC5E6969AA3D10C34ED9EAC0BB 22-Jul-15 189
8y93ZV9w.txt 80E4F2BD93CFAD05C27D82DB52A67173 2-Jul-15 233
hcYBCaqP.txt CEA83249D6DD7E0DA1233AA694A241A4 27-Jul-15 209
J9HkHtEQ.txt 0CAD1A373392EB6C494F8B1991E45978 24-Jul-15 195
ympQ7j6V.txt 9F6BD8384EF226AC45AEF44D6DB54391 14-Jul-15 178
ynbvfred.txt 1642873BBEF7D991DF11539E16CA6000 29-Jul-15 217
ZwCAc7A4.txt 6C30D822F38114E6D2B68BD7A7618568 15-Jun-15 219
KCyVSNK1.txt 800388926C83A71121562308FDC1B105 23-Apr-15 191
7GC1AXmv.txt 2B155E4268482A8CEE87CA27E400C803 19-Mar-15 211
Ym7e4iDh.txt F15353C8FD5EA57C02417A8921DCBD5B 27-Mar-15 218
KPuZ5NQX.txt 487C285566533C4CFC9AF6A3814CBB3B 23-Jan-15 215
kjipFGzz.txt 652302915BDE357879A8594E62E32808 13-Oct-14 220
TOTAL 7564

Quick Heal Detection

Component Name/Description MD5 Quick Heal Detection Name
Random_Name.exe 0C34D70FF9DD1BA3B7BFE9F4FBA8F010 TrojanDownldr.Bladabindi.BS64
TempWindows.exe EBB8BC149C8D7FFBAFD8D232BDD9D796 TrojanDownldr.Bladabindi.BS64
Main Payload 959E924082E4F6B12CFC802FD0E5E2CB Backdoor.Bladabindi.AL3

Conclusion

Malware authors are abusing “pastebin.com” for spreading different malware families. As per our analysis among all these families, “Bladabindi” RAT is spreading rapidly. More than 7500 users have been infected via pastebin.com since 2015. As the main payload is never stored on the disk, it is difficult to detect such malware.

Acknowledgment

Subject Matter Experts

  • Prakash Galande
  • Sagar Daundkar
    – Threat Research & Response Team

 

Rajiv Singha

Rajiv Singha

Follow @Singha_Ra

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image