{"id":20114,"date":"2024-03-05T14:37:22","date_gmt":"2024-03-05T14:37:22","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=20114"},"modified":"2024-03-13T06:05:31","modified_gmt":"2024-03-13T06:05:31","slug":"backdoorwin32-bladabindiml-analysis-removal-guide","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/backdoorwin32-bladabindiml-analysis-removal-guide\/","title":{"rendered":"Backdoor:Win32\/Bladabindi!ml Analysis & Removal Guide"},"content":{"rendered":"

Backdoor:Win32\/Bladabindi!ml is a generic detection name used by Microsoft Defender. It specifically refers to a backdoor malware known as njRAT<\/strong>, capable of hacking into and controlling victims’ computers. In which cases it is a dangerous trojan and in which cases it is a false positive detection, we will understand in this article.<\/p>\n

What is Backdoor:Win32\/Bladabindi!ml?<\/h2>\n

Backdoor:Win32\/Bladabindi!ml is the Windows Defender detection<\/strong> for njRAT malware<\/a>, that is categorized as backdoor. “Bladabindi” is one of many names used by antivirus companies to categorize and identify various malware, including njRAT.<\/p>\n

NjRAT is a trojan<\/a> and can be installed on a computer without the user’s knowledge<\/strong>. It acts as a backdoor, giving attackers remote access and control<\/strong> over the infected system. Once installed, njRAT can perform various activities including collecting sensitive information<\/a>, recording keystrokes, stealing passwords, intercepting traffic, and even controlling the computer’s webcam and microphone.<\/p>\n

\"njRAT<\/p>\n

Bladabindi!ml can be spread in a variety of ways. This includes email attachments or malicious links, downloads via malicious websites<\/strong>, exploitation of software vulnerabilities, or social engineering<\/a>. It can also self-propagate by infecting USB drives connected to an infected computer. Cybercriminals can use various methods to trick users into installing njRAT on their computers.<\/p>\n

Bladabindi Backdoor Threat Analysis<\/h2>\n

NjRAT features several versions<\/strong>, detected in different attacks. Nonetheless, they are not much different in terms of their capabilities and effects. Let’s have a look at what dangers a typical Bladabindi sample carries for the system.<\/p>\n

Launch and Detection Evasion<\/h3>\n

Bladabindi employs various techniques to evade detection upon launch. It comes with its own builder, and before attacking, it allows hackers to pre-configure the payload<\/strong> to their needs before it is delivered to the victim’s computer. This includes the name of the executable file, startup key creation in the registry, directory placement within the target system, host IP address, and network port, among others.<\/p>\n

\"setup
njRAT builder and custom settings<\/figcaption><\/figure>\n

Such customization enables njRAT to circumvent many static checks called to avoid antivirus detection. Additionally, the malware utilizes multiple .NET obfuscators<\/a>, making its code challenging to analyze for both humans and automated systems. These features make njRAT a tough nut to both analyze and detect and obviously stand for its success.<\/p>\n

Establishing Persistence<\/h3>\n

After the initial system checks, the Bladabindi backdoor ensures its persistence within the infected system by creating a startup instance, typically in the “C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp” directory. It also manipulates the Windows registry<\/strong> by creating a key with a unique name and a random set of characters and digits under the “HKEY_CURRENT_USER\\Software\\32” hive. These actions ensure that the malware executes each time the system boots up<\/strong>. They maintain a foothold within the infected machine even after reboots.<\/p>\n

\"Registry
Registry entry created by the malware during installation<\/figcaption><\/figure>\n

Data Collection & Other Functionality<\/h3>\n

After finalizing the preparations, njRAT a.k.a Bladabindi performs some basic callouts to the command server<\/a>. Depending on the response, malware can switch to the idle<\/strong>, start collecting user data or pull the additional payload from the remote server. The overall list of actions it can perform is the following:<\/p>\n