BLUERABBIT: A Golang-Based Backdoor with Ransomware and Destructive Capabilities
Meet BLUERABBIT, this Golang-based backdoor, attributed to a likely Iran-nexus threat actor, routes its command-and-control through RabbitMQ (AMQP) for tasking, Redis for state management, and MinIO for S3-compatible data exfiltration. # Phase Description 1 Initial Execution Binary executes, checks HKCU\Software\OneDrive\Environment registry key for prior execution 2 Persistence Creates “OneDrive Update” scheduled task with 60-second repeat interval and startup trigger 3 C2 Registration Connects to RabbitMQ (AMQP), declares a queue named after the victim device 4 Tasking Receives numeric task IDs over AMQP, maps each to a built-in module 5 Reconnaissance Profiles OS, hardware, network, installed software, security products, BitLocker status, drivers, domain 6 Exfiltration Stages files in GUID-named directories, exfiltrates to attacker-controlled MinIO infrastructure 7 Destructive Actions Disables recovery, encrypts files (.candy), and/or wipes disks across all logical drives Capability Matrix BLUERABBIT operates on a modular tasking system. Category Description Remote Access Full remote desktop-style control with keyboard and mouse input via VNC; shell command execution Surveillance Screenshot capture, screen recording, process and Windows service enumeration and management System Profiling OS details, hardware configuration, network settings, installed software, security products, BitLocker status, installed drivers, domain information File Exfiltration Files staged in GUID-named directories and exfiltrated to attacker-controlled MinIO (S3-compatible) cloud storage File Encryption Encrypts files across all logical drives with .candy extension; replaces desktop wallpaper with AI-generated “High-Alert” image Disk Wiping (Single-Pass) Overwrites all drives with random data in a single pass Disk Wiping (Multi-Pass) Writes zeros, random data, and 0xFF in sequence across all drives, rendering systems permanently unrecoverable Anti-Recovery Disables automatic reboot, system recovery, and scheduled maintenance; takes ownership of critical boot files The combination of exfiltration and encryption is consistent with a double extortion model: data is stolen before encryption occurs. Initial Execution and Persistence Upon execution, BLUERABBIT checks the registry key HKCU\Software\OneDrive\Environment to track its execution count. If this key does not exist, the malware assumes it is running for the first time and executes a PowerShell command to establish persistence as a scheduled task named “OneDrive Update,” deliberately impersonating a legitimate Microsoft service. The scheduled task itself must be removed to break persistence. The following registry modifications are made to disable automatic reboot and system recovery: Registry Path Value Effect HKLM\SYSTEM\CurrentControlSet\Control\CrashControl AutoReboot = 0 Prevents automatic reboot on crash HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoRebootWithLoggedOnUsers = 1 Blocks reboot while users are logged on HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance MaintenanceDisabled = 1 Disables scheduled maintenance HKLM\SYSTEM\CurrentControlSet\Control\Windows NoAutoRebootWithLoggedOnUsers = 1 Additional reboot suppression HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AlwaysAutoRebootAtScheduledTime = 0 Disables forced scheduled reboot The raw commands, preserved here for detection engineering purposes: Collectively, these modifications ensure that once BLUERABBIT begins encryption or wiping, the system cannot automatically recover, reboot into repair mode, or interrupt the destructive process. Scheduled task fingerprint: The combination of a task named “OneDrive Update,” created via New-ScheduledTaskAction with AllowStartIfOnBatteries, Hidden, and an immediate start trigger, is distinctive and unlikely to appear in legitimate enterprise tooling. Indicators of Compromise Type Indicator File (SHA-256) 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 File (SHA-256) 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc