The CSE CybSec Z-Lab Malware Lab analyzed a couple of new malware samples, belonging to the Bladabindi family, that were discovered on a looking-good website.

ZLab team detected two new threats hosted on a looking-good website www[.]6th-sense[.]eu. Both malware looks like a legitimate app that users have to install in order to access the media file hosted on the website.

The malicious website (www[.]6th-sense[.]eu), hosts 2 different malware samples:

“6thClient.exe” can be downloaded clicking the pop-up button on the homepage inviting users to download the client indicated on the screen.

“Firefox.exe” is hosted on the path “www[.]6th-sense[.]eu/Firefox.exe”

Both malware act as spyware, in particular, “Firefox.exe” seems to act as a bot, because it waits for specific commands from a C&C.

Analyzing the TCP stream, we can see the communication session performed by malware with the C&C:

The first row shows the PC’s name, User’s name, and the OS’s version. There are two recurrent words: “nyan” and “act” the first word represents a separator among the information sent to the C2C the second one represents the category of the information sent by the bot. in this case it is the ‘action’ performed by the host, in particular, it is the name of the window in the foreground In the middle, we can see some strings coded in Base64. These strings represent the window’s title in the foreground.

The C2C acknowledges the result sending the number Zero to the bot, probably this value indicates that there are no commands to execute on the host.

Both Malware would seem to belong to the malware family Bladabindi.

Bladabindi is a Trojan malware that steals confidential information from the compromised computer. Hackers also use it as a Malware downloader to deliver and execute other malware. With this malware, cybercriminals could steal

Your computer name

Your native country

OS serial numbers

Windows usernames

Operating system version

Stored passwords in chrome

Stored passwords in Firefox

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf

Pierluigi Paganini

(Security Affairs – Bladabindi malware, data stealer)

Share this...

Linkedin Reddit Pinterest

Share On