Exclusive, CSE CybSec ZLAB Malware Analysis Report: The Bladabindi malware

The CSE CybSec Z-Lab Malware Lab analyzed a couple of new malware samples, belonging to the Bladabindi family, that were discovered on a looking-good website.

ZLab team detected two new threats hosted on a looking-good website www[.]camplace[.]com/live-cams. Both malware looks like a legitimate app that users have to install in order to access the media file hosted on the website.

Bladabindi

Figure 1 – Homepage of the malicious website

 

The malicious website (www[.]6th-sense[.]eu), hosts 2 different malware samples:

  • “6thClient.exe” can be downloaded clicking the pop-up button on the homepage inviting users to download the client indicated on the screen.
  • “Firefox.exe” is hosted on the path “www[.]6th-sense[.]eu/Firefox.exe

Both malware act as spyware, in particular, “Firefox.exe” seems to act as a bot, because it waits for specific commands from a C&C.

Analyzing the TCP stream, we can see the communication session performed by malware with the C&C:

Bladabindi

  1. The first row shows the PC’s name, User’s name, and the OS’s version.
  2. There are two recurrent words: “nyan” and “act”
    1. the first word represents a separator among the information sent to the C2C
    2. the second one represents the category of the information sent by the bot. in this case it is the ‘action’ performed by the host, in particular, it is the name of the window in the foreground
  3. In the middle, we can see some strings coded in Base64. These strings represent the window’s title in the foreground.

The C2C acknowledges the result sending the number Zero to the bot, probably this value indicates that there are no commands to execute on the host.

Both Malware would seem to belong to the malware family Bladabindi.

Bladabindi is a Trojan malware that steals confidential information from the compromised computer. Hackers also use it as a Malware downloader to deliver and execute other malware. With this malware, cybercriminals could steal

  • Your computer name
  • Your native country
  • OS serial numbers
  • Windows usernames
  • Operating system version
  • Stored passwords in chrome
  • Stored passwords in Firefox

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf


Pierluigi Paganini

(Security Affairs – Bladabindi malware, data stealer)



The post Exclusive, CSE CybSec ZLAB Malware Analysis Report: The Bladabindi malware appeared first on Security Affairs.



Leave a Reply