Bandidos at large: A spying campaign in Latin America

In 2021 we detected an ongoing marketing campaign concentrating on company networks in Spanish-speaking nations, with 90% of the detections in Venezuela. When evaluating the malware used on this marketing campaign with what was beforehand documented, we discovered new performance and modifications to this malware, generally known as Bandook. We additionally discovered that this marketing campaign concentrating on Venezuela, regardless of being energetic since no less than 2015, has someway remained undocumented. Given the malware used and the focused locale, we selected to call this marketing campaign Bandidos.

Bandook is an outdated distant entry trojan: there are references to it being out there on-line as early as 2005, although its use by organized teams was not documented till 2016. The report revealed that 12 months by EFF, Operation Manul, describes the usage of Bandook to focus on journalists and dissidents in Europe. Then in 2018, Lookout revealed its analysis uncovering different espionage campaigns that had completely different targets however used the identical infrastructumre. They gave the identify Dark Caracal to the group accountable for the assaults. Lastly, Check Point’s report in 2020 confirmed that the attackers began to make use of signed executables to focus on many verticals in varied nations.

Earlier stories have talked about that the builders of Bandook is likely to be builders for rent (also referred to as “malware as a service”), which is smart given the varied campaigns with completely different targets seen by means of the years. We should be aware, nevertheless, that in 2021 now we have seen just one energetic marketing campaign: the one concentrating on Spanish-speaking nations that we doc right here.

Though now we have seen greater than 200 detections for the malware droppers in Venezuela in 2021, now we have not recognized a selected vertical focused by this malicious marketing campaign. In response to our telemetry information, the principle pursuits of the attackers are company networks in Venezuela; some in manufacturing corporations, others in building, healthcare, software program companies, and even retail. Given the capabilities of the malware and the sort of data that’s exfiltrated, it looks as if the principle function of those Bandidos is to spy on their victims. Their targets and their methodology of approaching them is extra just like cybercrime operations than to APT actions similar to Operation Manul.

Assault overview

Malicious emails with a PDF attachment are despatched to targets. The PDF file incorporates a hyperlink to obtain a compressed archive and the password to extract it. Contained in the archive there may be an executable file: a dropper that injects Bandook into an Web Explorer course of. Determine 1 supplies an outline of this assault chain.

Emails that include these attachments are often brief; one instance is proven in Determine 2. The telephone quantity on the backside of the message is a cellular quantity in Venezuela, although it’s unlikely to be associated to the attackers.

The attackers use URL shorteners similar to Rebrandly or Bitly of their PDF attachments. The shortened URLs redirect to cloud storage companies similar to Google Cloud Storage, SpiderOak, or pCloud, from the place the malware is downloaded.

Determine 3 and Determine 4 are examples of PDFs used on this marketing campaign. The pictures used within the PDFs are inventory photos out there on-line.

The content material of the PDF recordsdata is generic and has been used with varied filenames that change between targets. The password for the downloaded archive is 123456.

For an inventory of URLs used to obtain the malware please confer with the part Indicators of Compromise (IoCs).

Dropper

Bandook is hybrid Delphi/C++ malware. The dropper is coded in Delphi and is definitely recognizable as a result of it shops the payload encrypted and base64 encoded within the useful resource part of the file. The primary function of the dropper is to decode, decrypt and run the payload and to ensure that the malware persists in a compromised system. The encryption algorithm was CAST-256 in samples from earlier years of this marketing campaign, however modified to GOST in 2021.

When the dropper is executed, it creates 4 cases of iexplore.exe, the place the payload will likely be injected by way of course of hollowing. Then 4 entries are created within the Home windows registry in HKCUSoftwareMicrosoftWindowsCurrentVersion. The names of the registry keys are based mostly on the method ID (PID) of every of those newly created processes and the values are base64 encoded and include the trail to the dropper, a quantity to determine completely different actions, which will likely be defined later, and one other worth that isn’t used within the samples that we analyzed. The created keys are proven in Determine 5, together with an instance of a decoded worth.

Samples from different campaigns comply with the identical logic, however they use different encryption algorithms.

Payload

When the payload is injected contained in the iexplore.exe processes, it is going to begin loading international variables used for varied functions:

• Names for mutexes
• Names for Home windows registry keys
• URLs used for:
  • C&C communication
  • Downloading malicious DLLs
  • Parameters to some DLL capabilities
• Filenames, for instance for persistence
• Variables used as parameters for some DLL capabilities
• Paths for downloaded recordsdata
• Payload execution date

As soon as the payload has completed loading the worldwide variables, it is going to proceed its execution acquiring its injected course of’s PID. This PID is used to acquire the base64-encoded information created by the dropper, talked about above. As soon as the info is retrieved, the payload will decode it and get the motion identifier (see Determine 5) worth from it. This worth signifies the motion it should carry out.

Relying on the obtained worth, the payload is able to performing 4 completely different actions.

If the worth is 0:

• Creates a Home windows registry key with the identify mep
• Tries to obtain two DLLs from a URL within the international variables
• Tries to load these DLLs into reminiscence
• Creates completely different threads to invoke a few of these DLLs’ capabilities
• Begins energetic communication with the C&C server

If the worth is 1:

• Establishes persistence on the sufferer’s machine; this will likely be defined within the Registry and persistence part.
  

If the worth is 2:

• Creates a Home windows registry key with the identify api
• Searches for one of many downloaded DLLs, named dec.dll; if it exists, hundreds it into reminiscence and calls the export methodology Init, which creates 5 folders used for various functions – for instance, save encrypted logs on the Bandook continued folder talked about within the Registry and persistence part.

If the worth is 3:

• Creates a registry key with the identify pim
• Checks whether or not persistence succeeded; if not, will set up persistence within the folder talked about within the Registry and persistence part.
  

Determine 6 depicts a decompilation of this payload-handling code.

Two DLLs might be downloaded from the primary motion talked about above or throughout communication with the C&C server, and they’re named dec.dll and dep.dll (the inner identify for the primary one is capmodule.dll).

dec.dll has a set of capabilities that allow spying on the sufferer’s machine. A few of these capabilities are able to dropping a malicious Google Chrome extension, and of stealing data from a USB Drive. In the meantime, dep.dll, which we weren’t in a position to get hold of, has a set of capabilities that appear to be associated to dealing with recordsdata in varied codecs:

Determine 7 exhibits a part of the decompiled code that hundreds dec.dll into reminiscence. Determine 8 exhibits the code associated to dep.dll.

Registry and persistence

The payload achieves persistence on the sufferer’s machine by copying the dropper into a brand new folder, created by the payload at a path of the shape:

%APPDATA%.exe

Each the continued dropper and the folder use the identical identify, which is a random string generated by the payload. The screenshot in Determine 9 exhibits the registry worth created by the payload to take care of persistence.

We have now additionally detected different values created by the payload within the Home windows registry keys associated with its conduct, like: the identify used for persistence, a random quantity used as an ID to determine the sufferer’s machine, doable filenames (these recordsdata might be downloaded by the payload or created by itself), and an infection date, amongst different issues.

Desk 1 incorporates the registry entries created by the payload throughout our evaluation, with a quick description of them.

Desk 1. Registry entries created by one of many analyzed Bandook samples

Registry path	Key	Worth	Description
HKCUSoftware	der333f	Ixaakiiumcicbcpspmof	Random string used for persistence
	FDFfda	5/5/2021	Compromise date
	NVhfhfjs		Used to determine the sufferer’s machine
HKCUSoftwareVBffhdfhf	AMMY132	.exe	Associated to the export methodology ExecuteAMMMY from dec.dll
	gn	.exe	Associated to a brand new file downloaded throughout the obtain of the DLLs, earlier than the connection to the C&C server
	idate	05.05.2021	Compromise date
	mep	2608	Course of ID from the payload used for the communication with the C&C server
	rno1	.exe	Can be utilized to rename a downloaded file by means of the C&C communication
	tvn	.dce	Associated with the export methodology ExecuteTVNew from dec.dll
	api	2716	ProcessID from one of many payloads used to put in the exterior DLLs
	pim	2732	ProcessID from one of many payloads that checks the malware persistence
	DRT3	1	Associated with the export identify ChromeInject from dec.dll

Different registry places that can be utilized to realize persistence on the sufferer’s machine are:

• HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
• HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon

Community communication

The communication begins by acquiring the IP deal with from a site (d2.ngobmc[.]com) positioned within the international variables after which establishing a TCP connection to that deal with with a four-digit port quantity that modifications in response to the marketing campaign. As soon as the payload establishes this connection, it sends primary data from the sufferer’s machine, like pc identify, username, OS model, an infection date, and malware model.

After that, the payload will preserve energetic communication with the C&C server, ready for instructions to execute.

In lots of instances the knowledge despatched to the C&C server goes to be encrypted utilizing the algorithm AES in CFB mode with the important thing HuZ82K83ad392jVBhr2Au383Pud82AuF, however in different instances the knowledge is shipped as cleartext.

The next is an instance of the essential data to be exfiltrated to the C&C server, earlier than it’s encrypted:

!O12HYV~!2870~!0.0.0.0~!Laptop~!Administrator~!Ten~!0d 14h 2m~!0~!5.2~!FB2021~!0~!0~!0~!0~!~!0~!0–~!None~!0~!5/5/2021~!

Of explicit curiosity are the fields:

• !O12HYV: Hardcoded worth
• 2870: Sufferer’s ID generated by the malware
• 0.0.0.0: Sufferer’s IP deal with (pretend worth for privateness causes)
• Laptop: Laptop identify
• Administrator: Username
• Ten: OS model
• 5.2: Malware model
• FB2021: Marketing campaign ID
• 5/5/2021: Date of compromise

Determine 10 and Determine 11 are Wireshark screenshots displaying two completely different examples of encrypted and cleartext transmission of knowledge despatched to the C&C server.

Relating to the instructions that the payload is able to processing, we discovered that this pattern has 132 instructions, though a few of these have very related behaviors. These instructions use the next sample: @ – for instance, @0001 – apart from the *DJDSR^ command. Relying on the obtained command, the payload is able to performing the next actions:

• Get hold of data from the sufferer’s drive models:
• Lists the content material of a selected listing:
• File manipulation:
• Take screenshots
• Management the cursor on the sufferer’s machine:
  • Transfer it to a selected place
  • Carry out left or proper clicks
• Set up or uninstall the malicious DLLs (dec.dll or dep.dll)
• Shut some connections beforehand opened by the payload
• Kill operating processes or threads
• Pop up a message utilizing MessageBoxA
• Ship recordsdata to the C&C server
• Invoke DLL capabilities (dec.dll or dep.dll)
• Home windows registry manipulation:
  • Examine the existence of a registry key or worth
  • Create a registry key or worth
  • Delete a registry key or worth
• Uninstall the malware
• Obtain a file from a URL
• Execute downloaded recordsdata utilizing the perform ShellExecuteW
• Get hold of the sufferer’s public IP deal with
• Skype program manipulation:
  • Cease the method
  • Examine the existence of the essential.db file
• Stops the Teamviewer course of and invokes a perform from the dec.dll named ExecuteTVNew
• Examine for Java being put in on the sufferer’s machine
• Execute recordsdata with extension .pyc or .jar utilizing Python or Java.

Here’s a listing of what dec.dll is able to doing on the sufferer’s machine:

• Chrome browser manipulation
• File manipulation:
  • Compress a file
  • Cut up a file
  • Seek for a file
  • Add a file
• Ship recordsdata to the C&C server
• USB manipulation
• Get Wi-Fi connections
• Begin a shell
• DDoS
• Signal out from Skype
• Manipulate the sufferer’s display
• Manipulate the sufferer’s webcam
• Report sound
• Execute malicious packages

DLL evaluation – ChromeInject performance

When the communication with the C&C server is established, as we talked about above, the payload downloads dec.dll. We performed an evaluation of some of the fascinating exported strategies, named ChromeInject.

This methodology creates a malicious Chrome extension, by:

• Terminating the chrome.exe course of whether it is operating
• Making a folder below %APPDATApercentOPR
• Creating two recordsdata:
  • %APPDATApercentOPRMain.js
  • %APPDATApercentOPRManifest.json
• Enabling developer mode of Google Chrome by manipulating the desire file positioned at:
  • %LOCALAPPDATApercentGoogleChromeUser DataDefault
• Acquiring the Google Chrome executable path by accessing the registry, on this case it accesses:
  • SOFTWAREMicrosoftWindowsCurrentVersionApp Pathschrome.exe
• Launching Google Chrome
• Invoking Home windows APIs similar to GetForegroundWindow, SetClipboardData, and keybd_event, to load a malicious Chrome extension by simulating a person set up, it:
  • Hundreds chrome://extensions into the clipboard and pastes it by sending Ctrl+V keystrokes
  • Sends Tab keystrokes to pick out the Load unpacked choice
  • Hundreds the trail to the OPR folder into the clipboard and pastes it by sending Ctrl+V keystrokes

This malicious extension tries to retrieve any credentials that the sufferer submits to a URL by studying the values contained in the kind tag earlier than they’re despatched. These credentials are saved in Chrome’s native storage with the important thing batata13 and their corresponding URL, the place the credentials are despatched, with the important thing batata14. This data is exfiltrated to a unique URL positioned within the international variables of the payload. In our pattern this URL was:

https://pronews[.]icu/gtwwfggg/get.php?motion=gc1

Determine 12 exhibits the put in malicious Chrome extension.

Determine 13 and Determine 14 are screenshots respectively displaying the Manifest.json and the Principal.js (deobfuscated) supply code.

Overlaps and variations with different campaigns

We in contrast the conduct of our analyzed pattern in opposition to different posts and documented campaigns like Operation Manul and Darkish Caracal and there are some similarities, like:

• The payloads use the identical encryption algorithm for communication with the C&C server, AES in CFB mode.
• The encrypted data despatched to the C&C server makes use of the string suffix &&& on the finish of it.
• The payloads use the ~! suffix string as a delimiter for the knowledge despatched or obtained.
• Two samples included within the Operation Manul report (SHA-1: ADB7FC1CC9DD76725C1A81C5F17D03DE64F73296 and 916DF5B73B75F03E86C78FC3D19EF5D2DC1B7B92) appear to be linked to the Bandidos marketing campaign, in response to our telemetry information. The marketing campaign ID for these samples (January 2015 v3 and JUNE 2015 TEAM) present how far again in time the campaigns go.
• All of the samples included in Examine Level’s report as “Full Model” in reality goal Venezuela and are a part of the Bandidos marketing campaign.
• The dropper makes use of the method hollowing approach to inject the payloads.

We additionally discovered some variations, displaying modifications to the malware through the years, like:

• The dropper, for this marketing campaign, modified its encryption algorithm from CAST-256 to GOST.
• Evidently the malware now has solely two DLLs for all its additional performance as an alternative of the 5 DLLs talked about within the Operation Manul report.
• Two new export strategies have been added to the dec.dll, named GenerateOfflineDB and RECSCREEN.
• This newest pattern incorporates 132 instructions, as an alternative of the 120 instructions talked about in Check Point’s report.
• In contrast to the smaller executables described in Examine Level’s report, that are signed and appear to be a part of a unique marketing campaign, these samples are unsigned executables.
• There’s a command with the string AVE_MARIA, which might be associated to the AVE MARIA (aka Warzone) RAT.

Conclusion

Bandook is a RAT energetic since 2005. Its involvement in several espionage campaigns, already documented, exhibits us that it’s nonetheless a related instrument for cybercriminals. Additionally, if we contemplate the modifications made to the malware through the years, it exhibits us the curiosity of cybercriminals to maintain utilizing this piece of malware in malicious campaigns, making it extra subtle and tougher to detect.

Though there are few documented campaigns in Latin America, similar to Machete or Operation Spalax, Venezuela is a rustic that, attributable to its geopolitical state of affairs, is a possible goal for cyberespionage.

A full and complete listing of Indicators of Compromise (IoCs) and samples might be present in our GitHub repository.

For any inquiries, or to make pattern submissions associated to the topic, contact us at [email protected]

Indicators of Compromise (IoCs)

C&C servers

d1.ngobmc[.]com:7891 – 194.5.250[.]103
d2.ngobmc[.]com:7892 – 194.5.250[.]103
r2.panjo[.]membership:7892 – 45.142.214[.]31
pronews[.]icu – 194.36.190[.]73
ladvsa[.]membership – 45.142.213[.]108

Samples

SHA-1	ESET detection identify	Description
4B8364271848A9B677F2B4C3AF4FE042991D93DF	PDF/TrojanDownloader.Agent.AMF	Malicious e-mail
F384BDD63D3541C45FAD9D82EF7F36F6C380D4DD	PDF/TrojanDownloader.Agent.AMF	Malicious PDF
A06665748DF3D4DEF63A4DCBD50917C087F57A27	PDF/Phishing.F.Gen	Malicious PDF
89F1E932CC37E4515433696E3963BB3163CC4927	Win32/Bandok.NAT	Dropper
124ABF42098E644D172D9EA69B05AF8EC45D6E49	Win32/Bandok.NAT	Dropper
AF1F08A0D2E0D40E99FCABA6C1C090B093AC0756	Win32/Bandok.NAT	Dropper
0CB9641A9BF076DBD3BA38369C1C16FCDB104FC2	Win32/Bandok.NAT	Payload
D32E7178127CE9B217E1335D23FAC3963EA73626	Win32/Bandok.NAT	Payload
5F58FCED5B53D427B29C1796638808D5D0AE39BE	Win32/Bandok.NAT	Payload
1F94A8C5F63C0CA3FCCC1235C5ECBD8504343437	–	dec.dll (encrypted)
8D2B48D37B2B56C5045BCEE20904BCE991F99272	JS/Kryptik.ALB	Principal.js

Obtain URLs

https://rebrand[.]ly/lista-de-precios-2021
https://rebrand[.]ly/lista-de-precios-01
https://rebrand[.]ly/Lista-de-Precios
https://rebrand[.]ly/lista-de-precios-actualizada
https://rebrand[.]ly/Lista-de-precio-1-actualizada
https://rebrand[.]ly/Lista-de-precios-2-actualizada
https://rebrand[.]ly/Precios-Actualizados
https://rebrand[.]ly/recibo-de-pago-mes-03
https://rebrand[.]ly/Factura-001561493
https://rebrand[.]ly/Comunicado_Enero
https://rebrand[.]ly/Comunicado-23943983
https://rebrand[.]ly/Cotizacion-de-productos
https://rebrand[.]ly/informacion_bonos_productividad
https://rebrand[.]ly/aviso-de-cobro
https://bit[.]ly/lista-de-precios2
http://bit[.]ly/2yftKk3
https://bitly[.]com/v-coti_cion03
https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMZXG4ZTM/shared/1759328-1-1050/Cotizacion nuevas.rar?ad16ce86ca4bb1ff6ff0a7172faf2e05
https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMRSHA4DA/shared/1744230-1-1028/Listapercent20depercent20Precios.rar?cd05638af8e76da97e66f1bb77d353eb
https://filedn[.]com/lpBkXnHaBUPzXwEpUriDSr4/Lista_de_precios.rar
https://filedn[.]com/l9nI3nYhBEH5QqSeMUzzhMb/Facturas/Lista_de_Precios.rar

Older C&C servers

d1.p2020[.]membership:5670
d2.p2020[.]membership:5671
s1.fikofiko[.]prime:5672
s2.fikofiko[.]prime:5673
s3.fikofiko[.]prime:5674
s1.megawoc[.]com:7891
s2.megawoc[.]com:7892
s3.megawoc[.]com:7893
hellofromtheotherside[.]membership:6792
medialog[.]prime:3806
nahlabahla.hopto[.]org:9005
dianaojeil.hopto[.]org:8021
nathashadarin.hopto[.]org:8022
laraasaker.hopto[.]org:5553
mayataboush.hopto[.]org:5552
jhonny1.hopto[.]org:7401
j2.premiumdns[.]prime:7402
j3.newoneok[.]prime:9903
p2020[.]xyz
vdsm[.]xyz
www.blueberry2017[.]com
www.watermelon2017[.]com
www.orange2017[.]com
dbclave[.]information
panel.newoneok[.]prime

MITRE ATT&CK strategies

Notice: This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.

Tactic	ID	Identify	Description
Preliminary Entry	T1566.001	Phishing: Spearphishing attachment	Bandook operators have used emails with PDF recordsdata hooked up that include hyperlinks to obtain malware.
Execution	T1204.001	Person Execution: Malicious Hyperlink	Bandook operators have used malicious hyperlinks to obtain malware.
	T1204.002	Person Execution: Malicious File	Bandook operators have tried to get victims to execute malicious recordsdata.
Protection Evasion	T1027	Obfuscated Information or data	Bandook operators encrypt the payload hidden within the dropper.
	T1055.012	Course of Injection: Course of Hollowing	Bandook operators use course of hollowing to inject the payload into authentic processes.
	T1112	Modify Registry	Bandook operators have tried to change registry entries to cover data.
	T1547.001	Boot or Logon Autostart Execution: Registry Run keys / Startup Folder	Bandook operators have tried to create a Run registry key.
Discovery	T1057	Course of Discovery	Bandook makes use of Home windows API capabilities to find operating processes on sufferer’s machines.
	T1083	File and Listing Discovery	Bandook operators attempt to uncover recordsdata or folders from a selected path.
Assortment	T1025	Information from Detachable Media	Bandook operators attempt to learn information from detachable media.
	T0156.001	Enter Seize: Keylogging	Bandook operators might attempt to seize person keystrokes to acquire credentials.
	T1113	Display screen Seize	Bandook can take screenshots from the sufferer’s machine.
	T1123	Audio Seize	Bandook can document audio from the sufferer’s machine.
	T1125	Video Seize	Bandook can document video from the webcam.
Command And Management	T1573.001	Encrypted Channel: Symmetric Cryptography	Bandook makes use of AES for encrypting C&C communications.
Exfiltration	T1041	Exfiltration Over C2 channel	Bandook exfiltrates data over the identical channel used for C&C.
	T1048.002	Exfiltration Over Different Protocol: Exfiltration Over Uneven Encrypted Non-C2 Protocol	Bandook exfiltrates data utilizing a malicious URL by way of HTTPS.