# Bladabindi Remains A Constant Threat By Using Dynamic DNS Services **[blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services](https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services)** November 30, 2016 Threat Research By [Lilia Elena Gonzalez Medina | November 30, 2016](https://blog.fortinet.com/blog/search?author=Lilia+Elena+Gonzalez+Medina) The Fortinet research team has been developing a industrial-grade analysis system that allows us to concentrate information from samples collected from a variety of sources. Using this tool, we recently started to see the recurrence of URLs from the domains hopto.org and myftp.biz. In most cases, each sample was connected to a unique URL in one of the domains, although we also found some samples that connected to the same URL. ----- Figure 1. Examples of the domains and samples collected by the team’s FortiGuard analysis system This threat, also known as njRAT, is detected as [MSIL/Bladabindi.U!tr or](https://www.virustotal.com/en/file/6e31148cc1b3235b71731c3944a7b06f861e104e978708d12c695ec09b5b3760/analysis/) [MSIL/Agent.LI!tr by](https://www.virustotal.com/en/file/88ae50176898a04cc982af3f23e67144e544a1224f5ac06c4abf61e59e54aa4a/analysis/) the Fortinet AntiVirus service. If installed, the user’s private data is compromised because of the malware’s capability to provide the malicious actor with unauthorized access to the infected computer in order to collect different kinds of information, such as: screenshots, words typed (which often include usernames, passwords, websites, documents, etc.),running processes, pictures taken with the webcam, etc. **Threat Description** This malware family uses the .NET framework. And this sample in particular has two important classes called kl and OK. **kl** This class uses the functions GetAsyncKeyState, GetKeyboardLayout, GetKeyboardState, GetWindowThreadProcessId, MapVirtualKey and ToUnicodeEx to capture keystrokes. **OK** This class contains the other functionalities of the RAT. The important activities are summarized below: ----- Makes the following modifications to the registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\050ed846adcc1b8729af0a70a0fefe4d: “”C:\Users\\AppData\Local\Temp\server.exe” ..” HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\[kl]: “” HKCU\Software\Microsoft\Windows\CurrentVersion\Run\050ed846adcc1b8729af0a70a0fefe4d: “”C:\Users\\AppData\Local\Temp\server.exe” ..” HKCU\di: “!” The string “050ed846adcc1b8729af0a70a0fefe4d” is hardcoded in the sample. Besides storing the keylogger logs, the sub registry key HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\ also contains malicious executables loaded from the sample as binary data. Figure 2. Malicious executables stored in Windows Registry All those samples are, of course, detected by the Fortinet AntiVirus service: [2681e81bb4c4b3e6338ce2a456fb93a7 Detected as MSIL/Bladabindi.U!tr](https://www.virustotal.com/en/file/6e31148cc1b3235b71731c3944a7b06f861e104e978708d12c695ec09b5b3760/analysis/) [8e78a69ca187088abbea70727d268e90 Detected as MSIL/Bladabindi.U!tr](https://www.virustotal.com/en/file/6e31148cc1b3235b71731c3944a7b06f861e104e978708d12c695ec09b5b3760/analysis/) [b88ece4c04f706c9717bbe6fbda49ed2 Detected as W32/Agent.CPGR!tr](https://www.virustotal.com/en/file/a3e4bee1b6944aa9266bd58de3f534a4c1896df621881a5252a0d355a6e67c70/analysis/) c4d7f8abbf369dc795fc7f2fdad65003 Detected as MSIL/Bladabindi.U!tr The strings in b88ece4c04f706c9717bbe6fbda49ed2 reference No-IP’s Dynamic Update Client (DUC) that automatically updates the IP address if it changes, but also contain lines like “SELECT * FROM moz_logins” to obtain Firefox’s stored credentials. ----- Figure 3. Part of a malicious executable stored as data Creates the mutex 050ed846adcc1b8729af0a70a0fefe4d. If the mutex already exists, the sample calls ProjectData.EndApp to close all related files and stop the process. Checks whether a file called server.exe already exists in C:\Users\\AppData\Local\Temp\. If it exists, the sample deletes it. Otherwise, the file is created and executed. The file server.exe is a copy of the sample. Creates an environment variable called “SEE_MASK_NOZONECHECKS” and sets its value to 1. Creates a rule to allow the process server.exe on the Windows firewall. Figure 4. Command used by the sample to create a firewall rule Copies server.exe in the Startup folder. Checks the value of HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\[kl] because the keylogger stores what it captures in this registry key, to later send to its C&C. ----- Figure 5. Example of the keylogging functionality Uses GetWindowText to copy the text of the active window's title bar to later send to the remote server coded in base64. Gets information about the C: drive, particularly the volume serial number. When all the necessary information has been collected, the sample generates a string with the data coded in base64, and with this structure: “ll” + HacKed22_VolumeSerialNumber + ComputerName + Username + LastWriteTimeOfSampleinTemp + OSandServicePack + Architecture + Camera(Yes/No) + 0.7d (PossiblyTheMalwareVersion) + .. + ActiveWindowName + ActiveWindowName… This stolen information is sent to the malicious URL in hopto.org or myftp.biz domain using port 1177, 5552, or 5112, depending on the sample. The traffic can be detected by Fortinet IPS signature Bladabindi.Botnet. ----- Figure 6. Fragment of the coded data sent to the C&C Here are some examples of the decoded windows names: Temp: VGVtcAA= Roaming: Um9hbWluZwA= Regshot 1.9.0 x86 Unicode: UmVnc2hvdCAxLjkuMCB4ODYgVW5pY29kZQA= Local: TG9jYWwA Process Monitor Filter: UHJvY2VzcyBNb25pdG9yIEZpbHRlcgA= Applying Event Filter: QXBwbHlpbmcgRXZlbnQgRmlsdGVyAA== Event Properties: RXZlbnQgUHJvcGVydGllcwA= Create dump of server.exe: Q3JlYXRlIGR1bXAgb2Ygc2VydmVyLmV4ZQA= Uses the function capGetDriverDescriptionA to find out if the infected computer has a webcam installed. Deletes the keys and files related to the infection. It also includes functions to decompress zip files and obtain MD5 hashes. ----- The sample responds to the commands sent from its C&C. The following table explains some of them: kl Sends the data collected by the keylogger. prof + “~” prof + “!” prof + “@” Adds a value to the subkey HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\ Adds a value to the subkey HKCU\Software\050ed846adcc1b8729af0a70a0fefe4d\ Sends data to the C&C. Deletes the specified registry key. rn Downloads a file and executes it. ret Obtains the collected passwords. CAP Takes screenshot, saves it as JPEG, and sends it to its C&C. un + “~” Un + “!” Un + “@” Deletes the registry keys, the file server.exe in the Startup folder and the firewall rule to allow it. Ends current process. Ends current process and starts a new one. Up Downloads file from a remote server and executes it. Afterwards it deletes the registry keys and the files related to the infection. This command is used for updates. Ex Obtains information about the running processes, the services, and the active connections. ----- CH Opens a chat window so that the C&C can communicate with the infected computer. A fragment of the decompiled code for the “CAP” command to take screenshots can be seen below. It basically uses CopyFromScreen to copy the screen’s pixels to the bitmap through a graphic object. Figure 7. Fragment of code to take screenshots **C&C interface** When active, the domain prosa15.myftp.biz is used by the sample to connect to its C&C through port 1177. To simulate the RAT behavior in a controlled environment, a sample of njRAT was downloaded and installed. Once the sample connected to the C&C, the panel displayed information such as its IP address, its computer name, country, whether a webcam was installed, the active window, and a small screenshot. Figure 8. njRAT’s administration panel ----- The picture below shows part of the data collected by the keylogger. Not only does it record the pressed keys, but it also specifies the window in which the words were written. Figure 9. Keylogger window As mentioned above, the malware is also capable of collecting active processes, services, and connections, accessing the registry keys, and executing commands with a remote shell. Figure 10. Other capabilities of the RAT **Statistics** Both hopto.org and myftp.biz domains are available, amongst various other options, from the dynamic DNS provider called No-IP. The use of this service guarantees that an infected PC will be able to maintain communication with its C&C even if it changes the IP address. From September 12 to November 16, our FortiGuard analysis system collected 194 samples connecting to hopto.org or myftp.biz. ----- Out of those, 166 were related to Bladabindi samples and the rest to different threats, which indicates that the use of dynamic DNS providers could now be more common amongst malware writers. Although it is common for this malware family to report to its C&C using port 1177, the information gathered reveals that ports 5552 and 5112 are also now being used. Finally, the next chart shows the number of samples collected by our FortiGuard analysis system from September 12 to November 16. ----- **Conclusion** The Bladabindi malware family continues to be one of the most popular threats because of how easy it is to download. In fact, there are plenty of videos and websites available that provide detailed tutorials of how to use it. One proof of its ease of use is the fact that many of the collected samples hadn’t been submitted to Virus Total at the time of the analysis. Furthermore, the samples we examined use dynamic DNS services that make it hard to monitor and keep track of the domains and the IP addresses used. ## Related Posts Copyright © 2022 Fortinet, Inc. All Rights Reserved [Terms of ServicesPrivacy Policy](https://www.fortinet.com/corporate/about-us/legal.html) | Cookie Settings -----