Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Researchers Find Updated Variants of Bandook Spyware

Check Point: New Strains Active Around the World
Researchers Find Updated Variants of Bandook Spyware
The operators behind the Bandook spyware use lures to get victims to click files that, if opened, install malicious macros. (Source: Check Point Research)

Check Point Research has identified new variants of the long-dormant Bandook spyware that are being used for espionage campaigns across the world.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Bandook is a commodity Trojan backdoor that researchers first discovered in 2007 but was last spotted in wide circulation in 2018, the security firm says in a new report.

The malware is believed to have originated with the Lebanese General Security Directorate in Beirut, an intelligence agency. It’s been linked to espionage attacks targeting journalists and political dissidents in the region, according to security firm Lookout.

The malware apparently was dormant for the last three years until Check Point researchers discovered new digitally signed Bandook versions earlier this year, the report notes. Since then, the malware has been used to target government, financial, energy, food industry, healthcare, education, IT and legal organizations in the U.S, Germany, Italy, Switzerland, Singapore, Cyprus, Chile and Indonesia, the researchers say.

"In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations," the report notes. "This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide to facilitate offensive cyber operations."

Infection Tactics

Check Point researchers note the latest Bandook versions are spread as malicious Microsoft Word documents within a zip file that is disguised to appear as though it originated with cloud-based services, such as Office365, OneDrive or Azure.

Some of the lures observed by the Check Point researchers include files that spoof government-issued documents, such as passport and notarized documents.

"For example, one of the documents that specifically got our attention depicts an Office365 logo and a preview of a certificate issued by the government of Dubai," according to the Check Point report. "JAFZA - Jebel Ali Free Zone, featured at the top of the document, is an industrial area surrounding the port of Jebel Ali in Dubai, where more than 7,000 global companies are based."

When the victims' download and click on "enable content" to view the documents, a second-stage malware strain is downloaded, which then executes PowerShell scripts, the report says.

"The decoded PowerShell script downloads a zip file containing four files from a cloud service such as Dropbox, Bitbucket or an [AWS] S3 bucket. The zip file is stored in the user’s Public folder, and the four files are locally extracted," the report notes.

One of these files is a PNG that contains hidden components, which then downloads the last stage malware component - the Bandook remote access Trojan. Once installed on a device, the malware can take screenshots, download and upload files and execute other commands, the report notes.

Bandook Variants

Although initially developed as a remote access Trojan, or RAT, Check Point researchers note the Bandook malware has undergone several iterations since its source code was previously leaked.

The researchers note, however, the new variants are not developed from the initial Bandook source codes leaked in 2007, but from other malware source code.

"We discovered that the very first of the samples was compiled in March 2019 and supported around 120 commands," the report notes. "A sample compiled a few days later - a different signed Bandook variant (with only 11 commands) utilized the very same [command-and-control] server. Since then, all signed samples use only 11 basic commands. The shared [command-and-control] provides clear evidence that both the slimmed-down and the fully-fledged variants of the malware are operated by a single attacker."

The researchers add that all the new Bandook variants appear to have been developed by the same operator because they use the same AES encryptions and command and control servers.

"It’s not uncommon to see threat actors reuse old malware," says Hank Schless, a senior manager for security solutions at Lookout, which previously studied the malware during a 2017 and 2018 campaign called Dark Caracal. “They do this in hopes that updated security solutions might not detect an old malware family."

Although Bandook has been active for the past 13 years, Check Point researchers note its capabilities are still in the developmental stage and are limited when compared to other spyware, such as NSO's Pegasus (see: Judge Rules Facebook's Lawsuit Against NSO Group Can Proceed).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.