Digitally Signed Bandook Malware Once Again Targets Multiple Sectors

A cyberespionage team with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks towards a multitude of industries with a retooled variation of a 13-calendar year-outdated backdoor Trojan.

Verify Stage Investigation known as out hackers affiliated with a team named Dim Caracal in a new report printed yesterday for their efforts to deploy “dozens of digitally signed variants” of the Bandook Windows Trojan in excess of the earlier calendar year, hence the moment all over again “reigniting desire in this previous malware family members.”

The distinctive verticals singled out by the threat actor consist of govt, fiscal, strength, food stuff business, healthcare, training, IT, and legal establishments found in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the US.

The unusually huge variety of specific marketplaces and destinations “reinforces a earlier hypothesis that the malware is not made in-household and applied by a one entity, but is portion of an offensive infrastructure sold by a third social gathering to governments and threat actors all over the world, to aid offensive cyber functions,” the researchers said.

Darkish Caracal’s comprehensive use of Bandook RAT to execute espionage on a world-wide scale was 1st documented by the Digital Frontier Basis (EFF) and Lookout in early 2018, with the team attributed to the theft of organization mental residence and personally identifiable data from 1000’s of victims spanning more than 21 international locations.

The prolific team, which has operated at minimum considering that 2012, has been connected to the Lebanese Common Directorate of Common Stability (GDGS), deeming it a country-condition degree innovative persistent menace.

The concurrent use of the exact same malware infrastructure by distinct teams for seemingly unrelated campaigns led the EFF and Lookout to surmise that the APT actor “either utilizes or manages the infrastructure uncovered to be internet hosting a number of common, worldwide cyberespionage campaigns.”

Now the exact same group is back again at it with a new pressure of Bandook, with extra endeavours to thwart detection and examination, per Verify Issue Investigation.

A 3-Stage An infection Chain

The infection chain is a a few-stage approach that begins with a lure Microsoft Word doc (e.g. “Licensed documents.docx”) delivered within a ZIP file that, when opened, downloads destructive macros, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the authentic Phrase doc.

In the final section of the attack, this PowerShell script is utilised to download encoded executable sections from cloud storage companies like Dropbox or Bitbucket in buy to assemble the Bandook loader, which then will take the accountability of injecting the RAT into a new Web Explorer method.

The Bandook RAT — commercially obtainable beginning in 2007 — comes with all the abilities normally related with backdoors in that it establishes get hold of with a remotely-managed server to obtain more commands ranging from capturing screenshots to carrying out numerous file-similar operations.

But according to the cybersecurity firm, the new variant of Bandook is a slimmed-down model of the malware with aid for only 11 instructions, though prior variations were acknowledged to aspect as lots of as 120 commands, suggesting the operators’ need to decrease the malware’s footprint and evade detection from superior-profile targets.

Which is not all. Not only valid certificates issued by Certum were applied to indication this trimmed model of the malware executable, Look at Position researchers uncovered two much more samples — complete-fledged digitally-signed and unsigned variants — which they believe that are operated and offered by a single entity.

“Even though not as able, nor as practiced in operational safety like some other offensive stability providers, the team at the rear of the infrastructure in these assaults appears to be to boost about time, introducing numerous layers of security, valid certificates and other techniques, to hinder detection and investigation of its operations,” the researchers concluded.

Fibo Quantum