A new variant of the Bandook remote access Trojan (RAT) has recently been discovered [3] [5], specifically targeting Windows devices [2] [4]. This variant is distributed through phishing emails containing malicious PDF files [2] [4]. It poses a significant threat to Windows machines [5].
Description
Cybersecurity researchers have recently discovered a new variant of the Bandook RAT that targets Windows devices [2] [4]. This variant is being distributed through phishing emails containing malicious PDF files [2] [4]. The emails include a link to a password-protected 7z archive, from which the malware is extracted. Once extracted [1] [5], the malware injects its payload into a legitimate Windows binary called msinfo32.exe [1] [2].
To ensure persistence on the compromised host [6], Bandook modifies the Windows Registry [2] [4]. It also establishes communication with a command and control server to receive further instructions and retrieve additional payloads. Typically, the attackers send a stage-two payload that grants them full access to the compromised machines [4].
Bandook has been active for several years and has been found in various sectors and locations [4]. It has been used in a cyber espionage campaign targeting corporate networks in Spanish-speaking countries [6]. The actions performed by this malware include file manipulation [1] [6], registry manipulation [1] [6], information stealing [6], file execution [6], and controlling the victim’s computer [1] [2] [6].
Researchers have observed multiple variants of Bandook in 2020, indicating its continuous presence in the threat landscape. It is believed that Bandook is part of an offensive infrastructure that is sold by a third party to governments and threat actors worldwide [2]. Fortinet FortiGuard Labs has identified a new variant of Bandook that is being spread through phishing attacks targeting Windows machines [1]. This variant is concealed within a PDF file and arrives as a link to a password-protected 7z archive [1]. Once extracted [1] [5], the malware injects its payload into a legitimate Windows binary to infiltrate the system [1].
Bandook is a well-known malware that has been around since 2007 and is capable of remote control over compromised systems [1]. In July 2021 [1], an enhanced variant of Bandook was used in a cyber espionage campaign targeting Spanish-speaking nations [1]. The malware establishes persistence on the infected host by manipulating the Windows Registry and connects to a command-and-control server for further instructions [1] [6]. The actions of the malware include file and registry manipulation [1] [6], information theft [1] [2], downloads [1], executing files [1] [2], controlling the victim’s computer [1] [2] [6], process termination [1], and self-removal [1]. It is important to be vigilant against Bandook’s evolving threat landscape and its stealthy infiltration strategies [1].
Conclusion
The discovery of this new variant of the Bandook RAT highlights the ongoing threat to Windows machines. Its use of phishing attacks and malicious PDF files demonstrates the need for heightened security measures. Organizations and individuals should remain vigilant and implement strong cybersecurity practices to mitigate the risk of infection. The continuous presence of Bandook variants indicates the need for ongoing monitoring and proactive defense strategies.
References
[1] https://www.varutra.com/ctp/threatpost/postDetails/New-Variant-of-Bandook-RAT-Targets-Windows-Machines/OXVKRWc3WTk2ais4Yk1yc2hMK2J4dz09/
[2] https://telegraph247.com/tech/this-new-type-of-malware-targets-windows-machines-so-be-careful/
[3] https://www.msspalert.com/news/managed-security-services-provider-mssp-market-news-5-january-2024
[4] https://www.techradar.com/pro/security/this-brand-new-type-of-malware-is-out-to-target-windows-machines-so-watch-out
[5] https://dhacker.in/bandook-rat-microsoft-windows-machines-on-the-target/
[6] https://thehackernews.com/2024/01/new-bandook-rat-variant-resurfaces.html
