Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Bandidos at large: A spying campaign in Latin America

July 23, 2021

ESET Analysis uncovers an energetic malicious marketing campaign that makes use of new variations of outdated malware, Bandook, to spy on its victims

In 2021 we detected an ongoing marketing campaign concentrating on company networks in Spanish-speaking nations, with 90% of the detections in Venezuela. When evaluating the malware used on this marketing campaign with what was beforehand documented, we discovered new performance and modifications to this malware, generally known as Bandook. We additionally discovered that this marketing campaign concentrating on Venezuela, regardless of being energetic since no less than 2015, has someway remained undocumented. Given the malware used and the focused locale, we selected to call this marketing campaign Bandidos.

Bandook is an outdated distant entry trojan: there are references to it being out there on-line as early as 2005, although its use by organized teams was not documented till 2016. The report revealed that 12 months by EFF, Operation Manul, describes the usage of Bandook to focus on journalists and dissidents in Europe. Then in 2018, Lookout revealed its analysis uncovering different espionage campaigns that had completely different targets however used the identical infrastructumre. They gave the identify Dark Caracal to the group accountable for the assaults. Lastly, Check Point’s report in 2020 confirmed that the attackers began to make use of signed executables to focus on many verticals in varied nations.

Earlier stories have talked about that the builders of Bandook is likely to be builders for rent (also referred to as “malware as a service”), which is smart given the varied campaigns with completely different targets seen by means of the years. We should be aware, nevertheless, that in 2021 now we have seen just one energetic marketing campaign: the one concentrating on Spanish-speaking nations that we doc right here.

Though now we have seen greater than 200 detections for the malware droppers in Venezuela in 2021, now we have not recognized a selected vertical focused by this malicious marketing campaign. In response to our telemetry information, the principle pursuits of the attackers are company networks in Venezuela; some in manufacturing corporations, others in building, healthcare, software program companies, and even retail. Given the capabilities of the malware and the sort of data that’s exfiltrated, it looks as if the principle function of those Bandidos is to spy on their victims. Their targets and their methodology of approaching them is extra just like cybercrime operations than to APT actions similar to Operation Manul.

Assault overview

Malicious emails with a PDF attachment are despatched to targets. The PDF file incorporates a hyperlink to obtain a compressed archive and the password to extract it. Contained in the archive there may be an executable file: a dropper that injects Bandook into an Web Explorer course of. Determine 1 supplies an outline of this assault chain.

Figure 1. Overview of a typical attack

Determine 1. Overview of a typical assault

Emails that include these attachments are often brief; one instance is proven in Determine 2. The telephone quantity on the backside of the message is a cellular quantity in Venezuela, although it’s unlikely to be associated to the attackers.

Figure 2. Example of a malicious email

Determine 2. Instance of a malicious e-mail

The attackers use URL shorteners similar to Rebrandly or Bitly of their PDF attachments. The shortened URLs redirect to cloud storage companies similar to Google Cloud Storage, SpiderOak, or pCloud, from the place the malware is downloaded.

Determine 3 and Determine 4 are examples of PDFs used on this marketing campaign. The pictures used within the PDFs are inventory photos out there on-line.

Determine 3. Instance of a malicious PDF file

Determine 4. One other PDF file used for social engineering

The content material of the PDF recordsdata is generic and has been used with varied filenames that change between targets. The password for the downloaded archive is 123456.

For an inventory of URLs used to obtain the malware please confer with the part Indicators of Compromise (IoCs).


Bandook is hybrid Delphi/C++ malware. The dropper is coded in Delphi and is definitely recognizable as a result of it shops the payload encrypted and base64 encoded within the useful resource part of the file. The primary function of the dropper is to decode, decrypt and run the payload and to ensure that the malware persists in a compromised system. The encryption algorithm was CAST-256 in samples from earlier years of this marketing campaign, however modified to GOST in 2021.

When the dropper is executed, it creates 4 cases of iexplore.exe, the place the payload will likely be injected by way of course of hollowing. Then 4 entries are created within the Home windows registry in HKCUSoftwareMicrosoftWindowsCurrentVersion. The names of the registry keys are based mostly on the method ID (PID) of every of those newly created processes and the values are base64 encoded and include the trail to the dropper, a quantity to determine completely different actions, which will likely be defined later, and one other worth that isn’t used within the samples that we analyzed. The created keys are proven in Determine 5, together with an instance of a decoded worth.

Determine 5. Registry keys created by the dropper with an instance of a saved worth (decoded)

Samples from different campaigns comply with the identical logic, however they use different encryption algorithms.


When the payload is injected contained in the iexplore.exe processes, it is going to begin loading international variables used for varied functions:

  • Names for mutexes
  • Names for Home windows registry keys
  • URLs used for:
    • C&C communication
    • Downloading malicious DLLs
    • Parameters to some DLL capabilities
  • Filenames, for instance for persistence
  • Variables used as parameters for some DLL capabilities
  • Paths for downloaded recordsdata
  • Payload execution date

As soon as the payload has completed loading the worldwide variables, it is going to proceed its execution acquiring its injected course of’s PID. This PID is used to acquire the base64-encoded information created by the dropper, talked about above. As soon as the info is retrieved, the payload will decode it and get the motion identifier (see Determine 5) worth from it. This worth signifies the motion it should carry out.

Relying on the obtained worth, the payload is able to performing 4 completely different actions.

If the worth is 0:

  • Creates a Home windows registry key with the identify mep
  • Tries to obtain two DLLs from a URL within the international variables
  • Tries to load these DLLs into reminiscence
  • Creates completely different threads to invoke a few of these DLLs’ capabilities
  • Begins energetic communication with the C&C server

If the worth is 1:

  • Establishes persistence on the sufferer’s machine; this will likely be defined within the Registry and persistence part.

If the worth is 2:

  • Creates a Home windows registry key with the identify api
  • Searches for one of many downloaded DLLs, named dec.dll; if it exists, hundreds it into reminiscence and calls the export methodology Init, which creates 5 folders used for various functions – for instance, save encrypted logs on the Bandook continued folder talked about within the Registry and persistence part.

If the worth is 3:

  • Creates a registry key with the identify pim
  • Checks whether or not persistence succeeded; if not, will set up persistence within the folder talked about within the Registry and persistence part.

Determine 6 depicts a decompilation of this payload-handling code.

Determine 6. Payload logic to execute completely different actions relating to the worth obtained from the registry

Two DLLs might be downloaded from the primary motion talked about above or throughout communication with the C&C server, and they’re named dec.dll and dep.dll (the inner identify for the primary one is capmodule.dll).

dec.dll has a set of capabilities that allow spying on the sufferer’s machine. A few of these capabilities are able to dropping a malicious Google Chrome extension, and of stealing data from a USB Drive. In the meantime, dep.dll, which we weren’t in a position to get hold of, has a set of capabilities that appear to be associated to dealing with recordsdata in varied codecs:

Determine 7 exhibits a part of the decompiled code that hundreds dec.dll into reminiscence. Determine 8 exhibits the code associated to dep.dll.

Determine 7. Dynamic load of dec.dll into reminiscence

Determine 8. Dynamic load of dep.dll into reminiscence

Registry and persistence

The payload achieves persistence on the sufferer’s machine by copying the dropper into a brand new folder, created by the payload at a path of the shape:


Each the continued dropper and the folder use the identical identify, which is a random string generated by the payload. The screenshot in Determine 9 exhibits the registry worth created by the payload to take care of persistence.

Determine 9. Malware persistence within the registry

We have now additionally detected different values created by the payload within the Home windows registry keys associated with its conduct, like: the identify used for persistence, a random quantity used as an ID to determine the sufferer’s machine, doable filenames (these recordsdata might be downloaded by the payload or created by itself), and an infection date, amongst different issues.

Desk 1 incorporates the registry entries created by the payload throughout our evaluation, with a quick description of them.

Desk 1. Registry entries created by one of many analyzed Bandook samples

Registry path Key Worth Description
HKCUSoftware der333f Ixaakiiumcicbcpspmof Random string used for persistence
FDFfda 5/5/2021 Compromise date
NVhfhfjs Used to determine the sufferer’s machine
HKCUSoftwareVBffhdfhf AMMY132 .exe Associated to the export methodology ExecuteAMMMY from dec.dll
gn .exe Associated to a brand new file downloaded throughout the obtain of the DLLs, earlier than the connection to the C&C server
idate 05.05.2021 Compromise date
mep 2608 Course of ID from the payload used for the communication with the C&C server
rno1 .exe Can be utilized to rename a downloaded file by means of the C&C communication
tvn .dce Associated with the export methodology ExecuteTVNew from dec.dll
api 2716 ProcessID from one of many payloads used to put in the exterior DLLs
pim 2732 ProcessID from one of many payloads that checks the malware persistence
DRT3 1 Associated with the export identify ChromeInject from dec.dll

Different registry places that can be utilized to realize persistence on the sufferer’s machine are:

  • HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
  • HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon

Community communication

The communication begins by acquiring the IP deal with from a site (d2.ngobmc[.]com) positioned within the international variables after which establishing a TCP connection to that deal with with a four-digit port quantity that modifications in response to the marketing campaign. As soon as the payload establishes this connection, it sends primary data from the sufferer’s machine, like pc identify, username, OS model, an infection date, and malware model.

After that, the payload will preserve energetic communication with the C&C server, ready for instructions to execute.

In lots of instances the knowledge despatched to the C&C server goes to be encrypted utilizing the algorithm AES in CFB mode with the important thing HuZ82K83ad392jVBhr2Au383Pud82AuF, however in different instances the knowledge is shipped as cleartext.

The next is an instance of the essential data to be exfiltrated to the C&C server, earlier than it’s encrypted:

!O12HYV~!2870~!!Laptop~!Administrator~!Ten~!0d 14h 2m~!0~!5.2~!FB2021~!0~!0~!0~!0~!~!0~!0–~!None~!0~!5/5/2021~!

Of explicit curiosity are the fields:

  • !O12HYV: Hardcoded worth
  • 2870: Sufferer’s ID generated by the malware
  • Sufferer’s IP deal with (pretend worth for privateness causes)
  • Laptop: Laptop identify
  • Administrator: Username
  • Ten: OS model
  • 5.2: Malware model
  • FB2021: Marketing campaign ID
  • 5/5/2021: Date of compromise

Determine 10 and Determine 11 are Wireshark screenshots displaying two completely different examples of encrypted and cleartext transmission of knowledge despatched to the C&C server.

Determine 10. Visitors seize with encrypted data despatched to the C&C server

Determine 11. Visitors seize with cleartext data despatched to the C&C server

Relating to the instructions that the payload is able to processing, we discovered that this pattern has 132 instructions, though a few of these have very related behaviors. These instructions use the next sample: @ – for instance, @0001 – apart from the *DJDSR^ command. Relying on the obtained command, the payload is able to performing the next actions:

  • Get hold of data from the sufferer’s drive models:
  • Lists the content material of a selected listing:
  • File manipulation:
  • Take screenshots
  • Management the cursor on the sufferer’s machine:
    • Transfer it to a selected place
    • Carry out left or proper clicks
  • Set up or uninstall the malicious DLLs (dec.dll or dep.dll)
  • Shut some connections beforehand opened by the payload
  • Kill operating processes or threads
  • Pop up a message utilizing MessageBoxA
  • Ship recordsdata to the C&C server
  • Invoke DLL capabilities (dec.dll or dep.dll)
  • Home windows registry manipulation:
    • Examine the existence of a registry key or worth
    • Create a registry key or worth
    • Delete a registry key or worth
  • Uninstall the malware
  • Obtain a file from a URL
  • Execute downloaded recordsdata utilizing the perform ShellExecuteW
  • Get hold of the sufferer’s public IP deal with
  • Skype program manipulation:
    • Cease the method
    • Examine the existence of the essential.db file
  • Stops the Teamviewer course of and invokes a perform from the dec.dll named ExecuteTVNew
  • Examine for Java being put in on the sufferer’s machine
  • Execute recordsdata with extension .pyc or .jar utilizing Python or Java.

Here’s a listing of what dec.dll is able to doing on the sufferer’s machine:

  • Chrome browser manipulation
  • File manipulation:
    • Compress a file
    • Cut up a file
    • Seek for a file
    • Add a file
  • Ship recordsdata to the C&C server
  • USB manipulation
  • Get Wi-Fi connections
  • Begin a shell
  • DDoS
  • Signal out from Skype
  • Manipulate the sufferer’s display
  • Manipulate the sufferer’s webcam
  • Report sound
  • Execute malicious packages

DLL evaluation – ChromeInject performance

When the communication with the C&C server is established, as we talked about above, the payload downloads dec.dll. We performed an evaluation of some of the fascinating exported strategies, named ChromeInject.

This methodology creates a malicious Chrome extension, by:

  • Terminating the chrome.exe course of whether it is operating
  • Making a folder below %APPDATApercentOPR
  • Creating two recordsdata:
    • %APPDATApercentOPRMain.js
    • %APPDATApercentOPRManifest.json
  • Enabling developer mode of Google Chrome by manipulating the desire file positioned at:
    • %LOCALAPPDATApercentGoogleChromeUser DataDefault
  • Acquiring the Google Chrome executable path by accessing the registry, on this case it accesses:
    • SOFTWAREMicrosoftWindowsCurrentVersionApp Pathschrome.exe
  • Launching Google Chrome
  • Invoking Home windows APIs similar to GetForegroundWindow, SetClipboardData, and keybd_event, to load a malicious Chrome extension by simulating a person set up, it:
    • Hundreds chrome://extensions into the clipboard and pastes it by sending Ctrl+V keystrokes
    • Sends Tab keystrokes to pick out the Load unpacked choice
    • Hundreds the trail to the OPR folder into the clipboard and pastes it by sending Ctrl+V keystrokes

This malicious extension tries to retrieve any credentials that the sufferer submits to a URL by studying the values contained in the kind tag earlier than they’re despatched. These credentials are saved in Chrome’s native storage with the important thing batata13 and their corresponding URL, the place the credentials are despatched, with the important thing batata14. This data is exfiltrated to a unique URL positioned within the international variables of the payload. In our pattern this URL was:


Determine 12 exhibits the put in malicious Chrome extension.

Determine 12. Malicious extension created by the malware

Determine 13 and Determine 14 are screenshots respectively displaying the Manifest.json and the Principal.js (deobfuscated) supply code.

Determine 13. Manifest file of the malicious extension

Determine 14. Principal.js file with malicious code deobfuscated

Overlaps and variations with different campaigns

We in contrast the conduct of our analyzed pattern in opposition to different posts and documented campaigns like Operation Manul and Darkish Caracal and there are some similarities, like:

  • The payloads use the identical encryption algorithm for communication with the C&C server, AES in CFB mode.
  • The encrypted data despatched to the C&C server makes use of the string suffix &&& on the finish of it.
  • The payloads use the ~! suffix string as a delimiter for the knowledge despatched or obtained.
  • Two samples included within the Operation Manul report (SHA-1: ADB7FC1CC9DD76725C1A81C5F17D03DE64F73296 and 916DF5B73B75F03E86C78FC3D19EF5D2DC1B7B92) appear to be linked to the Bandidos marketing campaign, in response to our telemetry information. The marketing campaign ID for these samples (January 2015 v3 and JUNE 2015 TEAM) present how far again in time the campaigns go.
  • All of the samples included in Examine Level’s report as “Full Model” in reality goal Venezuela and are a part of the Bandidos marketing campaign.
  • The dropper makes use of the method hollowing approach to inject the payloads.

We additionally discovered some variations, displaying modifications to the malware through the years, like:

  • The dropper, for this marketing campaign, modified its encryption algorithm from CAST-256 to GOST.
  • Evidently the malware now has solely two DLLs for all its additional performance as an alternative of the 5 DLLs talked about within the Operation Manul report.
  • Two new export strategies have been added to the dec.dll, named GenerateOfflineDB and RECSCREEN.
  • This newest pattern incorporates 132 instructions, as an alternative of the 120 instructions talked about in Check Point’s report.
  • In contrast to the smaller executables described in Examine Level’s report, that are signed and appear to be a part of a unique marketing campaign, these samples are unsigned executables.
  • There’s a command with the string AVE_MARIA, which might be associated to the AVE MARIA (aka Warzone) RAT.


Bandook is a RAT energetic since 2005. Its involvement in several espionage campaigns, already documented, exhibits us that it’s nonetheless a related instrument for cybercriminals. Additionally, if we contemplate the modifications made to the malware through the years, it exhibits us the curiosity of cybercriminals to maintain utilizing this piece of malware in malicious campaigns, making it extra subtle and tougher to detect.

Though there are few documented campaigns in Latin America, similar to Machete or Operation Spalax, Venezuela is a rustic that, attributable to its geopolitical state of affairs, is a possible goal for cyberespionage.

A full and complete listing of Indicators of Compromise (IoCs) and samples might be present in our GitHub repository.

For any inquiries, or to make pattern submissions associated to the topic, contact us at [email protected]

Indicators of Compromise (IoCs)

C&C servers

d1.ngobmc[.]com:7891 – 194.5.250[.]103
d2.ngobmc[.]com:7892 – 194.5.250[.]103
r2.panjo[.]membership:7892 – 45.142.214[.]31
pronews[.]icu – 194.36.190[.]73
ladvsa[.]membership – 45.142.213[.]108


SHA-1 ESET detection identify Description
4B8364271848A9B677F2B4C3AF4FE042991D93DF PDF/TrojanDownloader.Agent.AMF Malicious e-mail
F384BDD63D3541C45FAD9D82EF7F36F6C380D4DD PDF/TrojanDownloader.Agent.AMF Malicious PDF
A06665748DF3D4DEF63A4DCBD50917C087F57A27 PDF/Phishing.F.Gen Malicious PDF
89F1E932CC37E4515433696E3963BB3163CC4927 Win32/Bandok.NAT Dropper
124ABF42098E644D172D9EA69B05AF8EC45D6E49 Win32/Bandok.NAT Dropper
AF1F08A0D2E0D40E99FCABA6C1C090B093AC0756 Win32/Bandok.NAT Dropper
0CB9641A9BF076DBD3BA38369C1C16FCDB104FC2 Win32/Bandok.NAT Payload
D32E7178127CE9B217E1335D23FAC3963EA73626 Win32/Bandok.NAT Payload
5F58FCED5B53D427B29C1796638808D5D0AE39BE Win32/Bandok.NAT Payload
1F94A8C5F63C0CA3FCCC1235C5ECBD8504343437 dec.dll (encrypted)
8D2B48D37B2B56C5045BCEE20904BCE991F99272 JS/Kryptik.ALB Principal.js

Obtain URLs

https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMZXG4ZTM/shared/1759328-1-1050/Cotizacion nuevas.rar?ad16ce86ca4bb1ff6ff0a7172faf2e05

Older C&C servers


MITRE ATT&CK strategies

Notice: This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Preliminary Entry T1566.001 Phishing: Spearphishing attachment Bandook operators have used emails with PDF recordsdata hooked up that include hyperlinks to obtain malware.
Execution T1204.001 Person Execution: Malicious Hyperlink Bandook operators have used malicious hyperlinks to obtain malware.
T1204.002 Person Execution: Malicious File Bandook operators have tried to get victims to execute malicious recordsdata.
Protection Evasion T1027 Obfuscated Information or data Bandook operators encrypt the payload hidden within the dropper.
T1055.012 Course of Injection: Course of Hollowing Bandook operators use course of hollowing to inject the payload into authentic processes.
T1112 Modify Registry Bandook operators have tried to change registry entries to cover data.
T1547.001 Boot or Logon Autostart Execution: Registry Run keys / Startup Folder Bandook operators have tried to create a Run registry key.
Discovery T1057 Course of Discovery Bandook makes use of Home windows API capabilities to find operating processes on sufferer’s machines.
T1083 File and Listing Discovery Bandook operators attempt to uncover recordsdata or folders from a selected path.
Assortment T1025 Information from Detachable Media Bandook operators attempt to learn information from detachable media.
T0156.001 Enter Seize: Keylogging Bandook operators might attempt to seize person keystrokes to acquire credentials.
T1113 Display screen Seize Bandook can take screenshots from the sufferer’s machine.
T1123 Audio Seize Bandook can document audio from the sufferer’s machine.
T1125 Video Seize Bandook can document video from the webcam.
Command And Management T1573.001 Encrypted Channel: Symmetric Cryptography Bandook makes use of AES for encrypting C&C communications.
Exfiltration T1041 Exfiltration Over C2 channel Bandook exfiltrates data over the identical channel used for C&C.
T1048.002 Exfiltration Over Different Protocol: Exfiltration Over Uneven Encrypted Non-C2 Protocol Bandook exfiltrates data utilizing a malicious URL by way of HTTPS.

Posted in SecurityTags:
Write a comment