Cyber spies launch massive attacks with the new variant of Bandook malware

Cybercriminals, suspected of having ties to the governments of Kazakhstan and Lebanon, have launched a massive malicious cyber-espionage campaign against multiple industries and are using a new variant of Bandook malware, which is already 13 years old.

Bandook malware was used in 2015 and 2017 campaigns dubbed Operation Manul and Dark Caracal, respectively. It was assumed that these campaigns were carried out by the governments of Kazakhstan and Lebanon.

Check Point Research reported on the efforts of criminals to deploy dozens of variants of the Bandook digitally signed Trojan for Windows over the past year.

“Criminals attacked government, financial, energy organizations, IT companies, legal institutions, and businesses in the food industry, healthcare and education in Cyprus, Chile, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey and the United States”, – said experts Check Point Research.

According to experts, the wide variety of targets supports the hypothesis that malware is not developed in-house by attackers or used by any one person, but is part of an offensive infrastructure sold by third parties to governments and hackers around the world.

Bandook attacks are carried out in three stages. They start by submitting a fake Microsoft Word document in a zip file that, when opened, loads malicious macros to download and execute a second step, a PowerShell script encrypted inside the original Word document.

In the final phase of the attack, a PowerShell script is used to download encrypted executables from cloud storage services such as Dropbox or Bitbucket to build a Bandook downloader, which then injects the RAT into a new Internet Explorer process.

“The Bandook RAT has all the properties of the backdoor as it connects to a remotely managed C&C server for additional commands, from taking screenshots to performing various file operations”, – say Check Point experts.

But, according to experts, the new version of Bandook is a simplified version of the malware with support for only 11 commands, while the previous versions contained up to 120 commands. This demonstrates the desire of operators to reduce the number of digital traces of malware and increase the chances of malware evading detection.

In addition, for signing the new version of the malware executable were used not only valid certificates that issued Certum. The researchers found two more samples – fully functional digitally signed variants and unsigned variants, which are supposedly managed and sold by a single person.

Let me remind you that we also talked about Brazilian malware Ghimob, that learned to attack mobile devices around the world.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button