ESET Analysis uncovers an energetic malicious marketing campaign that makes use of new variations of outdated malware, Bandook, to spy on its victims
In 2021 we detected an ongoing marketing campaign concentrating on company networks in Spanish-speaking nations, with 90% of the detections in Venezuela. When evaluating the malware used on this marketing campaign with what was beforehand documented, we discovered new performance and modifications to this malware, generally known as Bandook. We additionally discovered that this marketing campaign concentrating on Venezuela, regardless of being energetic since no less than 2015, has someway remained undocumented. Given the malware used and the focused locale, we selected to call this marketing campaign Bandidos.
Bandook is an outdated distant entry trojan: there are references to it being out there on-line as early as 2005, although its use by organized teams was not documented till 2016. The report revealed that 12 months by EFF, Operation Manul, describes the usage of Bandook to focus on journalists and dissidents in Europe. Then in 2018, Lookout revealed its analysis uncovering different espionage campaigns that had completely different targets however used the identical infrastructumre. They gave the identify Dark Caracal to the group accountable for the assaults. Lastly, Check Point’s report in 2020 confirmed that the attackers began to make use of signed executables to focus on many verticals in varied nations.
Earlier stories have talked about that the builders of Bandook is likely to be builders for rent (also referred to as “malware as a service”), which is smart given the varied campaigns with completely different targets seen by means of the years. We should be aware, nevertheless, that in 2021 now we have seen just one energetic marketing campaign: the one concentrating on Spanish-speaking nations that we doc right here.
Though now we have seen greater than 200 detections for the malware droppers in Venezuela in 2021, now we have not recognized a selected vertical focused by this malicious marketing campaign. In response to our telemetry information, the principle pursuits of the attackers are company networks in Venezuela; some in manufacturing corporations, others in building, healthcare, software program companies, and even retail. Given the capabilities of the malware and the sort of data that’s exfiltrated, it looks as if the principle function of those Bandidos is to spy on their victims. Their targets and their methodology of approaching them is extra just like cybercrime operations than to APT actions similar to Operation Manul.
Malicious emails with a PDF attachment are despatched to targets. The PDF file incorporates a hyperlink to obtain a compressed archive and the password to extract it. Contained in the archive there may be an executable file: a dropper that injects Bandook into an Web Explorer course of. Determine 1 supplies an outline of this assault chain.
Emails that include these attachments are often brief; one instance is proven in Determine 2. The telephone quantity on the backside of the message is a cellular quantity in Venezuela, although it’s unlikely to be associated to the attackers.
The attackers use URL shorteners similar to Rebrandly or Bitly of their PDF attachments. The shortened URLs redirect to cloud storage companies similar to Google Cloud Storage, SpiderOak, or pCloud, from the place the malware is downloaded.
Determine 3 and Determine 4 are examples of PDFs used on this marketing campaign. The pictures used within the PDFs are inventory photos out there on-line.
The content material of the PDF recordsdata is generic and has been used with varied filenames that change between targets. The password for the downloaded archive is 123456.
For an inventory of URLs used to obtain the malware please confer with the part Indicators of Compromise (IoCs).
Bandook is hybrid Delphi/C++ malware. The dropper is coded in Delphi and is definitely recognizable as a result of it shops the payload encrypted and base64 encoded within the useful resource part of the file. The primary function of the dropper is to decode, decrypt and run the payload and to ensure that the malware persists in a compromised system. The encryption algorithm was CAST-256 in samples from earlier years of this marketing campaign, however modified to GOST in 2021.
When the dropper is executed, it creates 4 cases of iexplore.exe, the place the payload will likely be injected by way of course of hollowing. Then 4 entries are created within the Home windows registry in HKCUSoftwareMicrosoftWindowsCurrentVersion. The names of the registry keys are based mostly on the method ID (PID) of every of those newly created processes and the values are base64 encoded and include the trail to the dropper, a quantity to determine completely different actions, which will likely be defined later, and one other worth that isn’t used within the samples that we analyzed. The created keys are proven in Determine 5, together with an instance of a decoded worth.
Samples from different campaigns comply with the identical logic, however they use different encryption algorithms.
When the payload is injected contained in the iexplore.exe processes, it is going to begin loading international variables used for varied functions:
- Names for mutexes
- Names for Home windows registry keys
- URLs used for:
- C&C communication
- Downloading malicious DLLs
- Parameters to some DLL capabilities
- Filenames, for instance for persistence
- Variables used as parameters for some DLL capabilities
- Paths for downloaded recordsdata
- Payload execution date
As soon as the payload has completed loading the worldwide variables, it is going to proceed its execution acquiring its injected course of’s PID. This PID is used to acquire the base64-encoded information created by the dropper, talked about above. As soon as the info is retrieved, the payload will decode it and get the motion identifier (see Determine 5) worth from it. This worth signifies the motion it should carry out.
Relying on the obtained worth, the payload is able to performing 4 completely different actions.
If the worth is 0:
- Creates a Home windows registry key with the identify mep
- Tries to obtain two DLLs from a URL within the international variables
- Tries to load these DLLs into reminiscence
- Creates completely different threads to invoke a few of these DLLs’ capabilities
- Begins energetic communication with the C&C server
If the worth is 1:
- Establishes persistence on the sufferer’s machine; this will likely be defined within the Registry and persistence part.
If the worth is 2:
- Creates a Home windows registry key with the identify api
- Searches for one of many downloaded DLLs, named dec.dll; if it exists, hundreds it into reminiscence and calls the export methodology Init, which creates 5 folders used for various functions – for instance, save encrypted logs on the Bandook continued folder talked about within the Registry and persistence part.
If the worth is 3:
- Creates a registry key with the identify pim
- Checks whether or not persistence succeeded; if not, will set up persistence within the folder talked about within the Registry and persistence part.
Determine 6 depicts a decompilation of this payload-handling code.
Two DLLs might be downloaded from the primary motion talked about above or throughout communication with the C&C server, and they’re named dec.dll and dep.dll (the inner identify for the primary one is capmodule.dll).
dec.dll has a set of capabilities that allow spying on the sufferer’s machine. A few of these capabilities are able to dropping a malicious Google Chrome extension, and of stealing data from a USB Drive. In the meantime, dep.dll, which we weren’t in a position to get hold of, has a set of capabilities that appear to be associated to dealing with recordsdata in varied codecs:
Determine 7 exhibits a part of the decompiled code that hundreds dec.dll into reminiscence. Determine 8 exhibits the code associated to dep.dll.
Registry and persistence
The payload achieves persistence on the sufferer’s machine by copying the dropper into a brand new folder, created by the payload at a path of the shape:
Each the continued dropper and the folder use the identical identify, which is a random string generated by the payload. The screenshot in Determine 9 exhibits the registry worth created by the payload to take care of persistence.
We have now additionally detected different values created by the payload within the Home windows registry keys associated with its conduct, like: the identify used for persistence, a random quantity used as an ID to determine the sufferer’s machine, doable filenames (these recordsdata might be downloaded by the payload or created by itself), and an infection date, amongst different issues.
Desk 1 incorporates the registry entries created by the payload throughout our evaluation, with a quick description of them.
Desk 1. Registry entries created by one of many analyzed Bandook samples
|der333f||Ixaakiiumcicbcpspmof||Random string used for persistence|
|NVhfhfjs||Used to determine the sufferer’s machine|
|AMMY132||Associated to the export methodology ExecuteAMMMY from dec.dll|
|gn||Associated to a brand new file downloaded throughout the obtain of the DLLs, earlier than the connection to the C&C server|
|mep||2608||Course of ID from the payload used for the communication with the C&C server|
|rno1||Can be utilized to rename a downloaded file by means of the C&C communication|
|tvn||Associated with the export methodology ExecuteTVNew from dec.dll|
|api||2716||ProcessID from one of many payloads used to put in the exterior DLLs|
|pim||2732||ProcessID from one of many payloads that checks the malware persistence|
|DRT3||1||Associated with the export identify ChromeInject from dec.dll|
Different registry places that can be utilized to realize persistence on the sufferer’s machine are:
- HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
- HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon
The communication begins by acquiring the IP deal with from a site (d2.ngobmc[.]com) positioned within the international variables after which establishing a TCP connection to that deal with with a four-digit port quantity that modifications in response to the marketing campaign. As soon as the payload establishes this connection, it sends primary data from the sufferer’s machine, like pc identify, username, OS model, an infection date, and malware model.
After that, the payload will preserve energetic communication with the C&C server, ready for instructions to execute.
In lots of instances the knowledge despatched to the C&C server goes to be encrypted utilizing the algorithm AES in CFB mode with the important thing HuZ82K83ad392jVBhr2Au383Pud82AuF, however in different instances the knowledge is shipped as cleartext.
The next is an instance of the essential data to be exfiltrated to the C&C server, earlier than it’s encrypted:
!O12HYV~!2870~!0.0.0.0~!Laptop~!Administrator~!Ten~!0d 14h 2m~!0~!5.2~!FB2021~!0~!0~!0~!0~!~!0~!0–~!None~!0~!5/5/2021~!
Of explicit curiosity are the fields:
- !O12HYV: Hardcoded worth
- 2870: Sufferer’s ID generated by the malware
- 0.0.0.0: Sufferer’s IP deal with (pretend worth for privateness causes)
- Laptop: Laptop identify
- Administrator: Username
- Ten: OS model
- 5.2: Malware model
- FB2021: Marketing campaign ID
- 5/5/2021: Date of compromise
Determine 10 and Determine 11 are Wireshark screenshots displaying two completely different examples of encrypted and cleartext transmission of knowledge despatched to the C&C server.
Relating to the instructions that the payload is able to processing, we discovered that this pattern has 132 instructions, though a few of these have very related behaviors. These instructions use the next sample: @
- Get hold of data from the sufferer’s drive models:
- Lists the content material of a selected listing:
- File manipulation:
- Take screenshots
- Management the cursor on the sufferer’s machine:
- Transfer it to a selected place
- Carry out left or proper clicks
- Set up or uninstall the malicious DLLs (dec.dll or dep.dll)
- Shut some connections beforehand opened by the payload
- Kill operating processes or threads
- Pop up a message utilizing MessageBoxA
- Ship recordsdata to the C&C server
- Invoke DLL capabilities (dec.dll or dep.dll)
- Home windows registry manipulation:
- Examine the existence of a registry key or worth
- Create a registry key or worth
- Delete a registry key or worth
- Uninstall the malware
- Obtain a file from a URL
- Execute downloaded recordsdata utilizing the perform ShellExecuteW
- Get hold of the sufferer’s public IP deal with
- Skype program manipulation:
- Cease the method
- Examine the existence of the essential.db file
- Stops the Teamviewer course of and invokes a perform from the dec.dll named ExecuteTVNew
- Examine for Java being put in on the sufferer’s machine
- Execute recordsdata with extension .pyc or .jar utilizing Python or Java.
Here’s a listing of what dec.dll is able to doing on the sufferer’s machine:
- Chrome browser manipulation
- File manipulation:
- Compress a file
- Cut up a file
- Seek for a file
- Add a file
- Ship recordsdata to the C&C server
- USB manipulation
- Get Wi-Fi connections
- Begin a shell
- Signal out from Skype
- Manipulate the sufferer’s display
- Manipulate the sufferer’s webcam
- Report sound
- Execute malicious packages
DLL evaluation – ChromeInject performance
When the communication with the C&C server is established, as we talked about above, the payload downloads dec.dll. We performed an evaluation of some of the fascinating exported strategies, named ChromeInject.
This methodology creates a malicious Chrome extension, by:
- Terminating the chrome.exe course of whether it is operating
- Making a folder below %APPDATApercentOPR
- Creating two recordsdata:
- Enabling developer mode of Google Chrome by manipulating the desire file positioned at:
- %LOCALAPPDATApercentGoogleChromeUser DataDefault
- Acquiring the Google Chrome executable path by accessing the registry, on this case it accesses:
- SOFTWAREMicrosoftWindowsCurrentVersionApp Pathschrome.exe
- Launching Google Chrome
- Invoking Home windows APIs similar to GetForegroundWindow, SetClipboardData, and keybd_event, to load a malicious Chrome extension by simulating a person set up, it:
- Hundreds chrome://extensions into the clipboard and pastes it by sending Ctrl+V keystrokes
- Sends Tab keystrokes to pick out the Load unpacked choice
- Hundreds the trail to the OPR folder into the clipboard and pastes it by sending Ctrl+V keystrokes
This malicious extension tries to retrieve any credentials that the sufferer submits to a URL by studying the values contained in the kind tag earlier than they’re despatched. These credentials are saved in Chrome’s native storage with the important thing batata13 and their corresponding URL, the place the credentials are despatched, with the important thing batata14. This data is exfiltrated to a unique URL positioned within the international variables of the payload. In our pattern this URL was:
Determine 12 exhibits the put in malicious Chrome extension.
Determine 13 and Determine 14 are screenshots respectively displaying the Manifest.json and the Principal.js (deobfuscated) supply code.
Overlaps and variations with different campaigns
We in contrast the conduct of our analyzed pattern in opposition to different posts and documented campaigns like Operation Manul and Darkish Caracal and there are some similarities, like:
- The payloads use the identical encryption algorithm for communication with the C&C server, AES in CFB mode.
- The encrypted data despatched to the C&C server makes use of the string suffix &&& on the finish of it.
- The payloads use the ~! suffix string as a delimiter for the knowledge despatched or obtained.
- Two samples included within the Operation Manul report (SHA-1: ADB7FC1CC9DD76725C1A81C5F17D03DE64F73296 and 916DF5B73B75F03E86C78FC3D19EF5D2DC1B7B92) appear to be linked to the Bandidos marketing campaign, in response to our telemetry information. The marketing campaign ID for these samples (January 2015 v3 and JUNE 2015 TEAM) present how far again in time the campaigns go.
- All of the samples included in Examine Level’s report as “Full Model” in reality goal Venezuela and are a part of the Bandidos marketing campaign.
- The dropper makes use of the method hollowing approach to inject the payloads.
We additionally discovered some variations, displaying modifications to the malware through the years, like:
- The dropper, for this marketing campaign, modified its encryption algorithm from CAST-256 to GOST.
- Evidently the malware now has solely two DLLs for all its additional performance as an alternative of the 5 DLLs talked about within the Operation Manul report.
- Two new export strategies have been added to the dec.dll, named GenerateOfflineDB and RECSCREEN.
- This newest pattern incorporates 132 instructions, as an alternative of the 120 instructions talked about in Check Point’s report.
- In contrast to the smaller executables described in Examine Level’s report, that are signed and appear to be a part of a unique marketing campaign, these samples are unsigned executables.
- There’s a command with the string AVE_MARIA, which might be associated to the AVE MARIA (aka Warzone) RAT.
Bandook is a RAT energetic since 2005. Its involvement in several espionage campaigns, already documented, exhibits us that it’s nonetheless a related instrument for cybercriminals. Additionally, if we contemplate the modifications made to the malware through the years, it exhibits us the curiosity of cybercriminals to maintain utilizing this piece of malware in malicious campaigns, making it extra subtle and tougher to detect.
Though there are few documented campaigns in Latin America, similar to Machete or Operation Spalax, Venezuela is a rustic that, attributable to its geopolitical state of affairs, is a possible goal for cyberespionage.
A full and complete listing of Indicators of Compromise (IoCs) and samples might be present in our GitHub repository.
For any inquiries, or to make pattern submissions associated to the topic, contact us at [email protected]
Indicators of Compromise (IoCs)
d1.ngobmc[.]com:7891 – 194.5.250[.]103
d2.ngobmc[.]com:7892 – 194.5.250[.]103
r2.panjo[.]membership:7892 – 45.142.214[.]31
pronews[.]icu – 194.36.190[.]73
ladvsa[.]membership – 45.142.213[.]108
|SHA-1||ESET detection identify||Description|
Older C&C servers
MITRE ATT&CK strategies
Notice: This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.
|Preliminary Entry||T1566.001||Phishing: Spearphishing attachment||Bandook operators have used emails with PDF recordsdata hooked up that include hyperlinks to obtain malware.|
|Execution||T1204.001||Person Execution: Malicious Hyperlink||Bandook operators have used malicious hyperlinks to obtain malware.|
|T1204.002||Person Execution: Malicious File||Bandook operators have tried to get victims to execute malicious recordsdata.|
|Protection Evasion||T1027||Obfuscated Information or data||Bandook operators encrypt the payload hidden within the dropper.|
|T1055.012||Course of Injection: Course of Hollowing||Bandook operators use course of hollowing to inject the payload into authentic processes.|
|T1112||Modify Registry||Bandook operators have tried to change registry entries to cover data.|
|T1547.001||Boot or Logon Autostart Execution: Registry Run keys / Startup Folder||Bandook operators have tried to create a Run registry key.|
|Discovery||T1057||Course of Discovery||Bandook makes use of Home windows API capabilities to find operating processes on sufferer’s machines.|
|T1083||File and Listing Discovery||Bandook operators attempt to uncover recordsdata or folders from a selected path.|
|Assortment||T1025||Information from Detachable Media||Bandook operators attempt to learn information from detachable media.|
|T0156.001||Enter Seize: Keylogging||Bandook operators might attempt to seize person keystrokes to acquire credentials.|
|T1113||Display screen Seize||Bandook can take screenshots from the sufferer’s machine.|
|T1123||Audio Seize||Bandook can document audio from the sufferer’s machine.|
|T1125||Video Seize||Bandook can document video from the webcam.|
|Command And Management||T1573.001||Encrypted Channel: Symmetric Cryptography||Bandook makes use of AES for encrypting C&C communications.|
|Exfiltration||T1041||Exfiltration Over C2 channel||Bandook exfiltrates data over the identical channel used for C&C.|
|T1048.002||Exfiltration Over Different Protocol: Exfiltration Over Uneven Encrypted Non-C2 Protocol||Bandook exfiltrates data utilizing a malicious URL by way of HTTPS.|