Espionage Campaign Using Updated Variant of Bandook SpywareVenezuelan Organizations Are Prime Targets
Researchers at the security firm ESET have uncovered an ongoing espionage campaign using an updated variant of Bandook spyware to target corporate networks in Venezuela and other nations in Latin America.
The campaign dubbed Bandidos targets corporate networks in Spanish-speaking countries, with 90% of the detections in Venezuela, ESET reports. It aims to spy on construction, manufacturing, healthcare, retail and software services companies.
"When comparing the malware used in this campaign with what was previously documented, we found new functionality and changes to this malware, known as Bandook," ESET says. "We also found that this campaign targeting Venezuela, despite being active since at least 2015, has somehow remained undocumented."
The attack begins with victims receiving malicious emails with a PDF attachment containing a shortened URL to download a compressed archive and the password to extract it. One example of a phishing email lure appeared to be a service announcement from a Dublin company, with an apparent business PDF enclosed.
Once extracted, the archive contains an executable file: a dropper that injects Bandook into an Internet Explorer process. "The attackers use URL shorteners such as Rebrandly or Bitly in their PDF attachments. The shortened URLs redirect to cloud storage services such as Google Cloud Storage, SpiderOak, or pCloud, from where the malware is downloaded," the researchers note.
Check Point Research in 2020 discovered around 120 commands in Bandook. The latest ESET report claims to have uncovered 12 more commands, which shows that attackers have improved the malware’s capabilities (see: Researchers Find Updated Variants of Bandook Spyware).
The main commands include listing directory contents, taking screenshots, controlling the cursor on the infected machines, manipulating files and installing malicious DLLs.
The updated malware has ChromeInject functionality, which is aimed at stealing credentials, ESET says. The payload entails downloading a malicious DLL. When a successful communication with the command-and-control server is established, the DLL creates a malicious Chrome extension. This extension attempts to obtain any credentials that the victim adds to a URL. The credentials are saved in Chrome's local storage.
ESET notes that the communication begins by obtaining the IP address from a domain (d2.ngobmc[.]com) located in global variables. Then it establishes a TCP connection to that address using a four-digit port number that changes according to the campaign.
Once the payload establishes a connection, it sends basic information from the victim’s machine, such as computer name, username, OS version, infection date and malware version. The payload maintains active communication with the C2 server waiting for commands to execute.
Commands that can be executed by the payload include kill running processes or threads and file manipulation such as read, move, delete or rename. Or commands can be used to obtain information from the victim’s drive units, such as HDD, CD-ROM and USB devices. The payload can be commanded to take screenshots, control the cursor on the victim’s machine, install or uninstall the malicious DLLs, or close some connections previously opened by the payload. The payload can send files to the C2 server, manipulate Windows Registry by checking the existence of a registry key or value, create a registry key or value, and delete a registry key or value.
Other key commands include uninstalling the malware, downloading a file from a URL and executing downloaded files using the function ShellExecuteW. The payload also attempts to obtain a victim’s public IP address, conduct Skype program manipulation, stop the TeamViewer process and invoke a function from the dec.dll named ExecuteTVNew and check for Java being installed on the victim’s machine.
Bandook is a hybrid Delphi/C++ malware, ESET reports. "The dropper is coded in Delphi and is easily recognizable because it stores the payload encrypted and base64 encoded in the resource section of the file," researchers note.
The main objective of the dropper is to decode, decrypt and run the payload and to make sure that the malware persists in a compromised system. "The encryption algorithm was CAST-256 in samples from previous years of this campaign, but changed to GOST in 2021," ESET researchers say.
Bandook is a commodity Trojan backdoor that researchers first discovered in 2007, It was spotted in wide circulation in 2018, the security firm Check Point Research reports.
The malware is believed to have originated with the Lebanese General Security Directorate, an intelligence agency in Beirut. It’s been linked to espionage attacks targeting journalists and political dissidents in the region, according to security firm Lookout.
The malware apparently was dormant for the last three years until Check Point researchers discovered digitally signed Bandook versions in 2020. Since then, the malware has been used to target government, financial, energy, food industry, healthcare, education, IT and legal organizations in the U.S, Germany, Italy, Switzerland, Singapore, Cyprus, Chile and Indonesia, the Check Point researchers said.