ESET Analysis uncovers an lively malicious marketing campaign that makes use of new variations of previous malware, Bandook, to spy on its victims
In 2021 we detected an ongoing marketing campaign concentrating on company networks in Spanish-speaking international locations, with 90% of the detections in Venezuela. When evaluating the malware used on this marketing campaign with what was beforehand documented, we discovered new performance and adjustments to this malware, generally known as Bandook. We additionally discovered that this marketing campaign concentrating on Venezuela, regardless of being lively since no less than 2015, has in some way remained undocumented. Given the malware used and the focused locale, we selected to call this marketing campaign Bandidos.
Bandook is an previous distant entry trojan: there are references to it being accessible on-line as early as 2005, although its use by organized teams was not documented till 2016. The report revealed that yr by EFF, Operation Manul, describes using Bandook to focus on journalists and dissidents in Europe. Then in 2018, Lookout revealed its analysis uncovering different espionage campaigns that had completely different targets however used the identical infrastructumre. They gave the title Dark Caracal to the group accountable for the assaults. Lastly, Check Point’s report in 2020 confirmed that the attackers began to make use of signed executables to focus on many verticals in varied international locations.
Earlier reviews have talked about that the builders of Bandook is perhaps builders for rent (also referred to as “malware as a service”), which is sensible given the assorted campaigns with completely different targets seen by means of the years. We should word, nevertheless, that in 2021 we have now seen just one lively marketing campaign: the one concentrating on Spanish-speaking international locations that we doc right here.
Though we have now seen greater than 200 detections for the malware droppers in Venezuela in 2021, we have now not recognized a particular vertical focused by this malicious marketing campaign. In keeping with our telemetry knowledge, the principle pursuits of the attackers are company networks in Venezuela; some in manufacturing firms, others in building, healthcare, software program companies, and even retail. Given the capabilities of the malware and the type of info that’s exfiltrated, it looks like the principle function of those Bandidos is to spy on their victims. Their targets and their technique of approaching them is extra just like cybercrime operations than to APT actions resembling Operation Manul.
Assault overview
Malicious emails with a PDF attachment are despatched to targets. The PDF file incorporates a hyperlink to obtain a compressed archive and the password to extract it. Contained in the archive there’s an executable file: a dropper that injects Bandook into an Web Explorer course of. Determine 1 offers an summary of this assault chain.
Emails that include these attachments are normally quick; one instance is proven in Determine 2. The telephone quantity on the backside of the message is a cellular quantity in Venezuela, although it’s unlikely to be associated to the attackers.
The attackers use URL shorteners resembling Rebrandly or Bitly of their PDF attachments. The shortened URLs redirect to cloud storage companies resembling Google Cloud Storage, SpiderOak, or pCloud, from the place the malware is downloaded.
Determine 3 and Determine 4 are examples of PDFs used on this marketing campaign. The pictures used within the PDFs are inventory photos accessible on-line.
The content material of the PDF recordsdata is generic and has been used with varied filenames that change between targets. The password for the downloaded archive is 123456.
For an inventory of URLs used to obtain the malware please seek advice from the part Indicators of Compromise (IoCs).
Dropper
Bandook is hybrid Delphi/C++ malware. The dropper is coded in Delphi and is definitely recognizable as a result of it shops the payload encrypted and base64 encoded within the useful resource part of the file. The principle function of the dropper is to decode, decrypt and run the payload and to be sure that the malware persists in a compromised system. The encryption algorithm was CAST-256 in samples from earlier years of this marketing campaign, however modified to GOST in 2021.
When the dropper is executed, it creates 4 cases of iexplore.exe, the place the payload might be injected through course of hollowing. Then 4 entries are created within the Home windows registry in HKCUSoftwareMicrosoftWindowsCurrentVersion. The names of the registry keys are primarily based on the method ID (PID) of every of those newly created processes and the values are base64 encoded and include the trail to the dropper, a quantity to establish completely different actions, which might be defined later, and one other worth that isn’t used within the samples that we analyzed. The created keys are proven in Determine 5, together with an instance of a decoded worth.
Samples from different campaigns comply with the identical logic, however they use different encryption algorithms.
Payload
When the payload is injected contained in the iexplore.exe processes, it’s going to begin loading world variables used for varied functions:
- Names for mutexes
- Names for Home windows registry keys
- URLs used for:
- C&C communication
- Downloading malicious DLLs
- Parameters to some DLL features
- Filenames, for instance for persistence
- Variables used as parameters for some DLL features
- Paths for downloaded recordsdata
- Payload execution date
As soon as the payload has completed loading the worldwide variables, it’s going to proceed its execution acquiring its injected course of’s PID. This PID is used to acquire the base64-encoded knowledge created by the dropper, talked about above. As soon as the information is retrieved, the payload will decode it and get the motion identifier (see Determine 5) worth from it. This worth signifies the motion it should carry out.
Relying on the obtained worth, the payload is able to performing 4 completely different actions.
If the worth is 0:
- Creates a Home windows registry key with the title mep
- Tries to obtain two DLLs from a URL within the world variables
- Tries to load these DLLs into reminiscence
- Creates completely different threads to invoke a few of these DLLs’ features
- Begins lively communication with the C&C server
If the worth is 1:
- Establishes persistence on the sufferer’s machine; this might be defined within the Registry and persistence part.
If the worth is 2:
- Creates a Home windows registry key with the title api
- Searches for one of many downloaded DLLs, named dec.dll; if it exists, hundreds it into reminiscence and calls the export technique Init, which creates 5 folders used for various functions – for instance, save encrypted logs on the Bandook continued folder talked about within the Registry and persistence part.
If the worth is 3:
- Creates a registry key with the title pim
- Checks whether or not persistence succeeded; if not, will set up persistence within the folder talked about within the Registry and persistence part.
Determine 6 depicts a decompilation of this payload-handling code.
Two DLLs might be downloaded from the primary motion talked about above or throughout communication with the C&C server, and they’re named dec.dll and dep.dll (the interior title for the primary one is capmodule.dll).
dec.dll has a set of features that allow spying on the sufferer’s machine. A few of these features are able to dropping a malicious Google Chrome extension, and of stealing info from a USB Drive. In the meantime, dep.dll, which we weren’t in a position to get hold of, has a set of features that appear to be associated to dealing with recordsdata in varied codecs:
Determine 7 reveals a part of the decompiled code that hundreds dec.dll into reminiscence. Determine 8 reveals the code associated to dep.dll.
Registry and persistence
The payload achieves persistence on the sufferer’s machine by copying the dropper into a brand new folder, created by the payload at a path of the shape:
%APPDATA%<RANDOM_STRING><RANDOM_STRING>.exe
Each the continued dropper and the folder use the identical title, which is a random string generated by the payload. The screenshot in Determine 9 reveals the registry worth created by the payload to take care of persistence.
We now have additionally detected different values created by the payload within the Home windows registry keys associated with its habits, like: the title used for persistence, a random quantity used as an ID to establish the sufferer’s machine, doable filenames (these recordsdata might be downloaded by the payload or created by itself), and an infection date, amongst different issues.
Desk 1 incorporates the registry entries created by the payload throughout our evaluation, with a quick description of them.
Desk 1. Registry entries created by one of many analyzed Bandook samples
Registry path | Key | Worth | Description |
---|---|---|---|
der333f | Ixaakiiumcicbcpspmof | Random string used for persistence | |
FDFfda | 5/5/2021 | Compromise date | |
NVhfhfjs | <RANDOM_NUMBER> | Used to establish the sufferer’s machine | |
AMMY132 | <RANDOM_NUMBER>.exe | Associated to the export technique ExecuteAMMMY from dec.dll | |
gn | <RANDOM_NUMBER>.exe | Associated to a brand new file downloaded through the obtain of the DLLs, earlier than the connection to the C&C server | |
idate | 05.05.2021 | Compromise date | |
mep | 2608 | Course of ID from the payload used for the communication with the C&C server | |
rno1 | <RANDOM_NUMBER>.exe | Can be utilized to rename a downloaded file by means of the C&C communication | |
tvn | <RANDOM_NUMBER>.dce | Associated with the export technique ExecuteTVNew from dec.dll | |
api | 2716 | ProcessID from one of many payloads used to put in the exterior DLLs | |
pim | 2732 | ProcessID from one of many payloads that checks the malware persistence | |
DRT3 | 1 | Associated with the export title ChromeInject from dec.dll |
Different registry places that can be utilized to attain persistence on the sufferer’s machine are:
- HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
- HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Community communication
The communication begins by acquiring the IP tackle from a site (d2.ngobmc[.]com) positioned within the world variables after which establishing a TCP connection to that tackle with a four-digit port quantity that adjustments in keeping with the marketing campaign. As soon as the payload establishes this connection, it sends fundamental info from the sufferer’s machine, like laptop title, username, OS model, an infection date, and malware model.
After that, the payload will keep lively communication with the C&C server, ready for instructions to execute.
In lots of circumstances the knowledge despatched to the C&C server goes to be encrypted utilizing the algorithm AES in CFB mode with the important thing HuZ82K83ad392jVBhr2Au383Pud82AuF, however in different circumstances the knowledge is shipped as cleartext.
The next is an instance of the fundamental info to be exfiltrated to the C&C server, earlier than it’s encrypted:
!O12HYV~!2870~!0.0.0.0~!Laptop~!Administrator~!Ten~!0d 14h 2m~!0~!5.2~!FB2021~!0~!0~!0~!0~!~!0~!0–~!None~!0~!5/5/2021~!
Of explicit curiosity are the fields:
- !O12HYV: Hardcoded worth
- 2870: Sufferer’s ID generated by the malware
- 0.0.0.0: Sufferer’s IP tackle (faux worth for privateness causes)
- Laptop: Laptop title
- Administrator: Username
- Ten: OS model
- 5.2: Malware model
- FB2021: Marketing campaign ID
- 5/5/2021: Date of compromise
Determine 10 and Determine 11 are Wireshark screenshots displaying two completely different examples of encrypted and cleartext transmission of knowledge despatched to the C&C server.
Concerning the instructions that the payload is able to processing, we discovered that this pattern has 132 instructions, though a few of these have very related behaviors. These instructions use the next sample: @<ID> – for instance, @0001 – apart from the *DJDSR^ command. Relying on the acquired command, the payload is able to performing the next actions:
- Acquire info from the sufferer’s drive models:
- Lists the content material of a particular listing:
- File manipulation:
- Take screenshots
- Management the cursor on the sufferer’s machine:
- Transfer it to a particular place
- Carry out left or proper clicks
- Set up or uninstall the malicious DLLs (dec.dll or dep.dll)
- Shut some connections beforehand opened by the payload
- Kill operating processes or threads
- Pop up a message utilizing MessageBoxA
- Ship recordsdata to the C&C server
- Invoke DLL features (dec.dll or dep.dll)
- Home windows registry manipulation:
- Verify the existence of a registry key or worth
- Create a registry key or worth
- Delete a registry key or worth
- Uninstall the malware
- Obtain a file from a URL
- Execute downloaded recordsdata utilizing the perform ShellExecuteW
- Acquire the sufferer’s public IP tackle
- Skype program manipulation:
- Cease the method
- Verify the existence of the major.db file
- Stops the Teamviewer course of and invokes a perform from the dec.dll named ExecuteTVNew
- Verify for Java being put in on the sufferer’s machine
- Execute recordsdata with extension .pyc or .jar utilizing Python or Java.
Here’s a checklist of what dec.dll is able to doing on the sufferer’s machine:
- Chrome browser manipulation
- File manipulation:
- Compress a file
- Break up a file
- Seek for a file
- Add a file
- Ship recordsdata to the C&C server
- USB manipulation
- Get Wi-Fi connections
- Begin a shell
- DDoS
- Signal out from Skype
- Manipulate the sufferer’s display screen
- Manipulate the sufferer’s webcam
- File sound
- Execute malicious applications
DLL evaluation – ChromeInject performance
When the communication with the C&C server is established, as we talked about above, the payload downloads dec.dll. We performed an evaluation of some of the fascinating exported strategies, named ChromeInject.
This technique creates a malicious Chrome extension, by:
- Terminating the chrome.exe course of whether it is operating
- Making a folder beneath %APPDATApercentOPR
- Creating two recordsdata:
- %APPDATApercentOPRMain.js
- %APPDATApercentOPRManifest.json
- Enabling developer mode of Google Chrome by manipulating the choice file positioned at:
- %LOCALAPPDATApercentGoogleChromeUser DataDefault
- Acquiring the Google Chrome executable path by accessing the registry, on this case it accesses:
- SOFTWAREMicrosoftWindowsCurrentVersionApp Pathschrome.exe
- Launching Google Chrome
- Invoking Home windows APIs resembling GetForegroundWindow, SetClipboardData, and keybd_event, to load a malicious Chrome extension by simulating a consumer set up, it:
- Masses chrome://extensions into the clipboard and pastes it by sending Ctrl+V keystrokes
- Sends Tab keystrokes to pick the Load unpacked choice
- Masses the trail to the OPR folder into the clipboard and pastes it by sending Ctrl+V keystrokes
This malicious extension tries to retrieve any credentials that the sufferer submits to a URL by studying the values contained in the kind tag earlier than they’re despatched. These credentials are saved in Chrome’s native storage with the important thing batata13 and their corresponding URL, the place the credentials are despatched, with the important thing batata14. This info is exfiltrated to a special URL positioned within the world variables of the payload. In our pattern this URL was:
https://pronews[.]icu/gtwwfggg/get.php?motion=gc1
Determine 12 reveals the put in malicious Chrome extension.
Determine 13 and Determine 14 are screenshots respectively displaying the Manifest.json and the Important.js (deobfuscated) supply code.
Overlaps and variations with different campaigns
We in contrast the habits of our analyzed pattern towards different posts and documented campaigns like Operation Manul and Darkish Caracal and there are some similarities, like:
- The payloads use the identical encryption algorithm for communication with the C&C server, AES in CFB mode.
- The encrypted info despatched to the C&C server makes use of the string suffix &&& on the finish of it.
- The payloads use the ~! suffix string as a delimiter for the knowledge despatched or acquired.
- Two samples included within the Operation Manul report (SHA-1: ADB7FC1CC9DD76725C1A81C5F17D03DE64F73296 and 916DF5B73B75F03E86C78FC3D19EF5D2DC1B7B92) appear to be related to the Bandidos marketing campaign, in keeping with our telemetry knowledge. The marketing campaign ID for these samples (January 2015 v3 and JUNE 2015 TEAM) present how far again in time the campaigns go.
- All of the samples included in Verify Level’s report as “Full Model” in reality goal Venezuela and are a part of the Bandidos marketing campaign.
- The dropper makes use of the method hollowing method to inject the payloads.
We additionally discovered some variations, exhibiting adjustments to the malware through the years, like:
- The dropper, for this marketing campaign, modified its encryption algorithm from CAST-256 to GOST.
- It appears that evidently the malware now has solely two DLLs for all its further performance as a substitute of the 5 DLLs talked about within the Operation Manul report.
- Two new export strategies have been added to the dec.dll, named GenerateOfflineDB and RECSCREEN.
- This newest pattern incorporates 132 instructions, as a substitute of the 120 instructions talked about in Check Point’s report.
- In contrast to the smaller executables described in Verify Level’s report, that are signed and appear to be a part of a special marketing campaign, these samples are unsigned executables.
- There’s a command with the string AVE_MARIA, which has been utilized in many RATs (for instance, Warzone RAT).
Conclusion
Bandook is a RAT lively since 2005. Its involvement in several espionage campaigns, already documented, reveals us that it’s nonetheless a related device for cybercriminals. Additionally, if we take into account the modifications made to the malware through the years, it reveals us the curiosity of cybercriminals to maintain utilizing this piece of malware in malicious campaigns, making it extra refined and tougher to detect.
Though there are few documented campaigns in Latin America, resembling Machete or Operation Spalax, Venezuela is a rustic that, as a result of its geopolitical state of affairs, is a probable goal for cyberespionage.
A full and complete checklist of Indicators of Compromise (IoCs) and samples might be present in our GitHub repository.
For any inquiries, or to make pattern submissions associated to the topic, contact us at threatintel@eset.com.
Indicators of Compromise (IoCs)
C&C servers
d1.ngobmc[.]com:7891 – 194.5.250[.]103
d2.ngobmc[.]com:7892 – 194.5.250[.]103
r2.panjo[.]membership:7892 – 45.142.214[.]31
pronews[.]icu – 194.36.190[.]73
ladvsa[.]membership – 45.142.213[.]108
Samples
SHA-1 | ESET detection title | Description |
---|---|---|
4B8364271848A9B677F2B4C3AF4FE042991D93DF | PDF/TrojanDownloader.Agent.AMF | Malicious e-mail |
F384BDD63D3541C45FAD9D82EF7F36F6C380D4DD | PDF/TrojanDownloader.Agent.AMF | Malicious PDF |
A06665748DF3D4DEF63A4DCBD50917C087F57A27 | PDF/Phishing.F.Gen | Malicious PDF |
89F1E932CC37E4515433696E3963BB3163CC4927 | Win32/Bandok.NAT | Dropper |
124ABF42098E644D172D9EA69B05AF8EC45D6E49 | Win32/Bandok.NAT | Dropper |
AF1F08A0D2E0D40E99FCABA6C1C090B093AC0756 | Win32/Bandok.NAT | Dropper |
0CB9641A9BF076DBD3BA38369C1C16FCDB104FC2 | Win32/Bandok.NAT | Payload |
D32E7178127CE9B217E1335D23FAC3963EA73626 | Win32/Bandok.NAT | Payload |
5F58FCED5B53D427B29C1796638808D5D0AE39BE | Win32/Bandok.NAT | Payload |
1F94A8C5F63C0CA3FCCC1235C5ECBD8504343437 | – | dec.dll (encrypted) |
8D2B48D37B2B56C5045BCEE20904BCE991F99272 | JS/Kryptik.ALB | Important.js |
Obtain URLs
https://rebrand[.]ly/lista-de-precios-2021
https://rebrand[.]ly/lista-de-precios-01
https://rebrand[.]ly/Lista-de-Precios
https://rebrand[.]ly/lista-de-precios-actualizada
https://rebrand[.]ly/Lista-de-precio-1-actualizada
https://rebrand[.]ly/Lista-de-precios-2-actualizada
https://rebrand[.]ly/Precios-Actualizados
https://rebrand[.]ly/recibo-de-pago-mes-03
https://rebrand[.]ly/Factura-001561493
https://rebrand[.]ly/Comunicado_Enero
https://rebrand[.]ly/Comunicado-23943983
https://rebrand[.]ly/Cotizacion-de-productos
https://rebrand[.]ly/informacion_bonos_productividad
https://rebrand[.]ly/aviso-de-cobro
https://bit[.]ly/lista-de-precios2
http://bit[.]ly/2yftKk3
https://bitly[.]com/v-coti_cion03
https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMZXG4ZTM/shared/1759328-1-1050/Cotizacion nuevas.rar?ad16ce86ca4bb1ff6ff0a7172faf2e05
https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMRSHA4DA/shared/1744230-1-1028/Listapercent20depercent20Precios.rar?cd05638af8e76da97e66f1bb77d353eb
https://filedn[.]com/lpBkXnHaBUPzXwEpUriDSr4/Lista_de_precios.rar
https://filedn[.]com/l9nI3nYhBEH5QqSeMUzzhMb/Facturas/Lista_de_Precios.rar
Older C&C servers
d1.p2020[.]membership:5670
d2.p2020[.]membership:5671
s1.fikofiko[.]high:5672
s2.fikofiko[.]high:5673
s3.fikofiko[.]high:5674
s1.megawoc[.]com:7891
s2.megawoc[.]com:7892
s3.megawoc[.]com:7893
hellofromtheotherside[.]membership:6792
medialog[.]high:3806
nahlabahla.hopto[.]org:9005
dianaojeil.hopto[.]org:8021
nathashadarin.hopto[.]org:8022
laraasaker.hopto[.]org:5553
mayataboush.hopto[.]org:5552
jhonny1.hopto[.]org:7401
j2.premiumdns[.]high:7402
j3.newoneok[.]high:9903
p2020[.]xyz
vdsm[.]xyz
www.blueberry2017[.]com
www.watermelon2017[.]com
www.orange2017[.]com
dbclave[.]data
panel.newoneok[.]high
MITRE ATT&CK strategies
Word: This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.
Tactic | ID | Identify | Description |
---|---|---|---|
Preliminary Entry | T1566.001 | Phishing: Spearphishing attachment | Bandook operators have used emails with PDF recordsdata connected that include hyperlinks to obtain malware. |
Execution | T1204.001 | Person Execution: Malicious Hyperlink | Bandook operators have used malicious hyperlinks to obtain malware. |
T1204.002 | Person Execution: Malicious File | Bandook operators have tried to get victims to execute malicious recordsdata. | |
Protection Evasion | T1027 | Obfuscated Information or info | Bandook operators encrypt the payload hidden within the dropper. |
T1055.012 | Course of Injection: Course of Hollowing | Bandook operators use course of hollowing to inject the payload into professional processes. | |
T1112 | Modify Registry | Bandook operators have tried to change registry entries to cover info. | |
T1547.001 | Boot or Logon Autostart Execution: Registry Run keys / Startup Folder | Bandook operators have tried to create a Run registry key. | |
Discovery | T1057 | Course of Discovery | Bandook makes use of Home windows API features to find operating processes on sufferer’s machines. |
T1083 | File and Listing Discovery | Bandook operators attempt to uncover recordsdata or folders from a particular path. | |
Assortment | T1025 | Knowledge from Detachable Media | Bandook operators attempt to learn knowledge from detachable media. |
T0156.001 | Enter Seize: Keylogging | Bandook operators could attempt to seize consumer keystrokes to acquire credentials. | |
T1113 | Display Seize | Bandook can take screenshots from the sufferer’s machine. | |
T1123 | Audio Seize | Bandook can document audio from the sufferer’s machine. | |
T1125 | Video Seize | Bandook can document video from the webcam. | |
Command And Management | T1573.001 | Encrypted Channel: Symmetric Cryptography | Bandook makes use of AES for encrypting C&C communications. |
Exfiltration | T1041 | Exfiltration Over C2 channel | Bandook exfiltrates info over the identical channel used for C&C. |
T1048.002 | Exfiltration Over Various Protocol: Exfiltration Over Uneven Encrypted Non-C2 Protocol | Bandook exfiltrates info utilizing a malicious URL through HTTPS. |