Cybercriminals, suspected of having ties to the governments of Kazakhstan and Lebanon, have launched a massive malicious cyber-espionage campaign against multiple industries and are using a new variant of Bandook malware, which is already 13 years old.
Bandook malware was used in 2015 and 2017 campaigns dubbed Operation Manul and Dark Caracal, respectively. It was assumed that these campaigns were carried out by the governments of Kazakhstan and Lebanon.
Check Point Research reported on the efforts of criminals to deploy dozens of variants of the Bandook digitally signed Trojan for Windows over the past year.
“Criminals attacked government, financial, energy organizations, IT companies, legal institutions, and businesses in the food industry, healthcare and education in Cyprus, Chile, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey and the United States”, – said experts Check Point Research.
According to experts, the wide variety of targets supports the hypothesis that malware is not developed in-house by attackers or used by any one person, but is part of an offensive infrastructure sold by third parties to governments and hackers around the world.
Bandook attacks are carried out in three stages. They start by submitting a fake Microsoft Word document in a zip file that, when opened, loads malicious macros to download and execute a second step, a PowerShell script encrypted inside the original Word document.
In the final phase of the attack, a PowerShell script is used to download encrypted executables from cloud storage services such as Dropbox or Bitbucket to build a Bandook downloader, which then injects the RAT into a new Internet Explorer process.
“The Bandook RAT has all the properties of the backdoor as it connects to a remotely managed C&C server for additional commands, from taking screenshots to performing various file operations”, – say Check Point experts.
But, according to experts, the new version of Bandook is a simplified version of the malware with support for only 11 commands, while the previous versions contained up to 120 commands. This demonstrates the desire of operators to reduce the number of digital traces of malware and increase the chances of malware evading detection.
In addition, for signing the new version of the malware executable were used not only valid certificates that issued Certum. The researchers found two more samples – fully functional digitally signed variants and unsigned variants, which are supposedly managed and sold by a single person.
Let me remind you that we also talked about Brazilian malware Ghimob, that learned to attack mobile devices around the world.