Affected Platforms: Microsoft WindowsImpacted Users: Microsoft WindowsImpact: Remote attackers gain control of the infected systemsSeverity Level: Critical.
A registry key is created to control the behavior of the payload. The key name is the PID of msinfo32.
Exe, and the value contains the control code for the payload. Once executed with any argument, Bandook creates a registry key containing another control code that enables its payload to establish persistence, and it then injects the payload into a new process of msinfo32.
A variant reported in 2021 required four control codes and created four processes of explorer.
This new variant uses less control code and makes a more precise division of tasks.
Payload. Figure 2 is the overview of the payload. Once injected, the payload initializes strings for the key names of registries, flags, APIs, etc.
Exe to find the registry key and then decodes and parses the key value to perform the task specified by the control code.
The control codes play the same role as previous variants, but strings are used instead of numbers.
The variant we found in October 2023 has two additional control codes, but its injector doesn't create registries for them.
These unused control codes have been removed from even newer variants.
When the control code is ACG, the payload can download files for other modules, including fcd.
Dll is downloaded, Bandook calls its functions and passes the key names of the registry key as arguments.
C2 communication may use one command to write a registry key and a separate command to read it.
Since most actions are the same as in previous variants, we will focus on communications between Bandook and the C2 server using the new commands added to the most recent variants.
Finally, Bandook sends the file specified by Arg2 to the C2 server.
This action monitors the victim's screen and controls the computer.
Bandook creates a virtual desktop and assigns it to a newly created thread that establishes a new communication with the C2 server.
If the server responds, Bandook creates another thread to keep sending screenshots to the server.
In the meantime, Thread Control receives coordinates and control codes from the server.
This command asks Bandook to establish a persistence mechanism with sub 13160400, also called when the control code is GUM, as shown in Figure 9.
This Cyber News was published on feeds.fortinet.com. Publication date: Thu, 21 Dec 2023 17:13:05 +0000