ESET Analysis uncovers an energetic malicious marketing campaign that makes use of new variations of previous malware, Bandook, to spy on its victims
In 2021 we detected an ongoing marketing campaign focusing on company networks in Spanish-speaking nations, with 90% of the detections in Venezuela. When evaluating the malware used on this marketing campaign with what was beforehand documented, we discovered new performance and adjustments to this malware, generally known as Bandook. We additionally discovered that this marketing campaign focusing on Venezuela, regardless of being energetic since not less than 2015, has by some means remained undocumented. Given the malware used and the focused locale, we selected to call this marketing campaign Bandidos.
Bandook is an previous distant entry trojan: there are references to it being accessible on-line as early as 2005, although its use by organized teams was not documented till 2016. The report printed that 12 months by EFF, Operation Manul, describes the usage of Bandook to focus on journalists and dissidents in Europe. Then in 2018, Lookout printed its analysis uncovering different espionage campaigns that had completely different targets however used the identical infrastructumre. They gave the identify Darkish Caracal to the group liable for the assaults. Lastly, Verify Level’s report in 2020 confirmed that the attackers began to make use of signed executables to focus on many verticals in varied nations.
Earlier experiences have talked about that the builders of Bandook is likely to be builders for rent (also referred to as “malware as a service”), which is sensible given the assorted campaigns with completely different targets seen by the years. We should notice, nevertheless, that in 2021 we now have seen just one energetic marketing campaign: the one focusing on Spanish-speaking nations that we doc right here.
Though we now have seen greater than 200 detections for the malware droppers in Venezuela in 2021, we now have not recognized a particular vertical focused by this malicious marketing campaign. In keeping with our telemetry information, the primary pursuits of the attackers are company networks in Venezuela; some in manufacturing firms, others in development, healthcare, software program companies, and even retail. Given the capabilities of the malware and the type of data that’s exfiltrated, it looks as if the primary objective of those Bandidos is to spy on their victims. Their targets and their methodology of approaching them is extra just like cybercrime operations than to APT actions akin to Operation Manul.
Assault overview
Malicious emails with a PDF attachment are despatched to targets. The PDF file comprises a hyperlink to obtain a compressed archive and the password to extract it. Contained in the archive there may be an executable file: a dropper that injects Bandook into an Web Explorer course of. Determine 1 offers an summary of this assault chain.
Determine 1. Overview of a typical assault
Emails that comprise these attachments are normally quick; one instance is proven in Determine 2. The cellphone quantity on the backside of the message is a cellular quantity in Venezuela, although it’s unlikely to be associated to the attackers.
Determine 2. Instance of a malicious e-mail
The attackers use URL shorteners akin to Rebrandly or Bitly of their PDF attachments. The shortened URLs redirect to cloud storage companies akin to Google Cloud Storage, SpiderOak, or pCloud, from the place the malware is downloaded.
Determine 3 and Determine 4 are examples of PDFs used on this marketing campaign. The pictures used within the PDFs are inventory photographs accessible on-line.
Determine 3. Instance of a malicious PDF file
Determine 4. One other PDF file used for social engineering
The content material of the PDF recordsdata is generic and has been used with varied filenames that change between targets. The password for the downloaded archive is 123456.
For an inventory of URLs used to obtain the malware please discuss with the part Indicators of Compromise (IoCs).
Dropper
Bandook is hybrid Delphi/C++ malware. The dropper is coded in Delphi and is well recognizable as a result of it shops the payload encrypted and base64 encoded within the useful resource part of the file. The primary objective of the dropper is to decode, decrypt and run the payload and to guarantee that the malware persists in a compromised system. The encryption algorithm was CAST-256 in samples from earlier years of this marketing campaign, however modified to GOST in 2021.
When the dropper is executed, it creates 4 situations of iexplore.exe, the place the payload will probably be injected by way of course of hollowing. Then 4 entries are created within the Home windows registry in HKCUSoftwareMicrosoftWindowsCurrentVersion. The names of the registry keys are primarily based on the method ID (PID) of every of those newly created processes and the values are base64 encoded and comprise the trail to the dropper, a quantity to determine completely different actions, which will probably be defined later, and one other worth that isn’t used within the samples that we analyzed. The created keys are proven in Determine 5, together with an instance of a decoded worth.
Determine 5. Registry keys created by the dropper with an instance of a saved worth (decoded)
Samples from different campaigns comply with the identical logic, however they use different encryption algorithms.
Payload
When the payload is injected contained in the iexplore.exe processes, it can begin loading international variables used for varied functions:
Names for mutexes
Names for Home windows registry keys
URLs used for:
C&C communication
Downloading malicious DLLs
Parameters to some DLL capabilities
Filenames, for instance for persistence
Variables used as parameters for some DLL capabilities
Paths for downloaded recordsdata
Payload execution date
As soon as the payload has completed loading the worldwide variables, it can proceed its execution acquiring its injected course of’s PID. This PID is used to acquire the base64-encoded information created by the dropper, talked about above. As soon as the info is retrieved, the payload will decode it and get the motion identifier (see Determine 5) worth from it. This worth signifies the motion it should carry out.
Relying on the obtained worth, the payload is able to performing 4 completely different actions.
If the worth is 0:
Creates a Home windows registry key with the identify mep
Tries to obtain two DLLs from a URL within the international variables
Tries to load these DLLs into reminiscence
Creates completely different threads to invoke a few of these DLLs’ capabilities
Begins energetic communication with the C&C server
If the worth is 1:
Establishes persistence on the sufferer’s machine; this will probably be defined within the Registry and persistence part.
If the worth is 2:
Creates a Home windows registry key with the identify api
Searches for one of many downloaded DLLs, named dec.dll; if it exists, hundreds it into reminiscence and calls the export methodology Init, which creates 5 folders used for various functions – for instance, save encrypted logs on the Bandook endured folder talked about within the Registry and persistence part.
If the worth is 3:
Creates a registry key with the identify pim
Checks whether or not persistence succeeded; if not, will set up persistence within the folder talked about within the Registry and persistence part.
Determine 6 depicts a decompilation of this payload-handling code.
Determine 6. Payload logic to execute completely different actions relating to the worth obtained from the registry
Two DLLs could be downloaded from the primary motion talked about above or throughout communication with the C&C server, and they’re named dec.dll and dep.dll (the inner identify for the primary one is capmodule.dll).
dec.dll has a set of capabilities that allow spying on the sufferer’s machine. A few of these capabilities are able to dropping a malicious Google Chrome extension, and of stealing data from a USB Drive. In the meantime, dep.dll, which we weren’t capable of receive, has a set of capabilities that appear to be associated to dealing with recordsdata in varied codecs:
Determine 7 reveals a part of the decompiled code that hundreds dec.dll into reminiscence. Determine 8 reveals the code associated to dep.dll.
Determine 7. Dynamic load of dec.dll into reminiscence
Determine 8. Dynamic load of dep.dll into reminiscence
Registry and persistence
The payload achieves persistence on the sufferer’s machine by copying the dropper into a brand new folder, created by the payload at a path of the shape:
%APPDATA%<RANDOM_STRING><RANDOM_STRING>.exe
Each the endured dropper and the folder use the identical identify, which is a random string generated by the payload. The screenshot in Determine 9 reveals the registry worth created by the payload to take care of persistence.
Determine 9. Malware persistence within the registry
Now we have additionally detected different values created by the payload within the Home windows registry keys associated with its habits, like: the identify used for persistence, a random quantity used as an ID to determine the sufferer’s machine, attainable filenames (these recordsdata could be downloaded by the payload or created by itself), and an infection date, amongst different issues.
Desk 1 comprises the registry entries created by the payload throughout our evaluation, with a quick description of them.
Desk 1. Registry entries created by one of many analyzed Bandook samples
Registry pathKeyValueDescription
HKCUSoftwareder333fIxaakiiumcicbcpspmofRandom string used for persistence
FDFfda5/5/2021Compromise date
NVhfhfjs<RANDOM_NUMBER>Used to determine the sufferer’s machine
HKCUSoftwareVBffhdfhfAMMY132<RANDOM_NUMBER>.exeAssociated to the export methodology ExecuteAMMMY from dec.dll
gn<RANDOM_NUMBER>.exeAssociated to a brand new file downloaded through the obtain of the DLLs, earlier than the connection to the C&C server
idate05.05.2021Compromise date
mep2608Course of ID from the payload used for the communication with the C&C server
rno1<RANDOM_NUMBER>.exeCan be utilized to rename a downloaded file by the C&C communication
tvn<RANDOM_NUMBER>.dceAssociated with the export methodology ExecuteTVNew from dec.dll
api2716ProcessID from one of many payloads used to put in the exterior DLLs
pim2732ProcessID from one of many payloads that checks the malware persistence
DRT31Associated with the export identify ChromeInject from dec.dll
Different registry areas that can be utilized to attain persistence on the sufferer’s machine are:
HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Community communication
The communication begins by acquiring the IP tackle from a site (d2.ngobmc[.]com) positioned within the international variables after which establishing a TCP connection to that tackle with a four-digit port quantity that adjustments based on the marketing campaign. As soon as the payload establishes this connection, it sends fundamental data from the sufferer’s machine, like laptop identify, username, OS model, an infection date, and malware model.
After that, the payload will keep energetic communication with the C&C server, ready for instructions to execute.
In lots of circumstances the data despatched to the C&C server goes to be encrypted utilizing the algorithm AES in CFB mode with the important thing HuZ82K83ad392jVBhr2Au383Pud82AuF, however in different circumstances the data is shipped as cleartext.
The next is an instance of the essential data to be exfiltrated to the C&C server, earlier than it’s encrypted:
!O12HYV~!2870~!0.0.0.0~!Pc~!Administrator~!Ten~!0d 14h 2m~!0~!5.2~!FB2021~!0~!0~!0~!0~!~!0~!0–~!None~!0~!5/5/2021~!
Of explicit curiosity are the fields:
!O12HYV: Hardcoded worth
2870: Sufferer’s ID generated by the malware
0.0.0.0: Sufferer’s IP tackle (pretend worth for privateness causes)
Pc: Pc identify
Administrator: Username
Ten: OS model
5.2: Malware model
FB2021: Marketing campaign ID
5/5/2021: Date of compromise
Determine 10 and Determine 11 are Wireshark screenshots displaying two completely different examples of encrypted and cleartext transmission of data despatched to the C&C server.
Determine 10. Site visitors seize with encrypted data despatched to the C&C server
Determine 11. Site visitors seize with cleartext data despatched to the C&C server
Relating to the instructions that the payload is able to processing, we discovered that this pattern has 132 instructions, though a few of these have very comparable behaviors. These instructions use the next sample: @<ID> – for instance, @0001 – aside from the *DJDSR^ command. Relying on the acquired command, the payload is able to performing the next actions:
Get hold of data from the sufferer’s drive models:
Lists the content material of a particular listing:
File manipulation:
Take screenshots
Management the cursor on the sufferer’s machine:
Transfer it to a particular place
Carry out left or proper clicks
Set up or uninstall the malicious DLLs (dec.dll or dep.dll)
Shut some connections beforehand opened by the payload
Kill working processes or threads
Pop up a message utilizing MessageBoxA
Ship recordsdata to the C&C server
Invoke DLL capabilities (dec.dll or dep.dll)
Home windows registry manipulation:
Verify the existence of a registry key or worth
Create a registry key or worth
Delete a registry key or worth
Uninstall the malware
Obtain a file from a URL
Execute downloaded recordsdata utilizing the perform ShellExecuteW
Get hold of the sufferer’s public IP tackle
Skype program manipulation:
Cease the method
Verify the existence of the major.db file
Stops the Teamviewer course of and invokes a perform from the dec.dll named ExecuteTVNew
Verify for Java being put in on the sufferer’s machine
Execute recordsdata with extension .pyc or .jar utilizing Python or Java.
Here’s a listing of what dec.dll is able to doing on the sufferer’s machine:
Chrome browser manipulation
File manipulation:
Compress a file
Break up a file
Seek for a file
Add a file
Ship recordsdata to the C&C server
USB manipulation
Get Wi-Fi connections
Begin a shell
DDoS
Signal out from Skype
Manipulate the sufferer’s display screen
Manipulate the sufferer’s webcam
Report sound
Execute malicious packages
DLL evaluation – ChromeInject performance
When the communication with the C&C server is established, as we talked about above, the payload downloads dec.dll. We performed an evaluation of one of the vital fascinating exported strategies, named ChromeInject.
This methodology creates a malicious Chrome extension, by:
Terminating the chrome.exe course of whether it is working
Making a folder underneath %APPDATApercentOPR
Creating two recordsdata:
%APPDATApercentOPRMain.js
%APPDATApercentOPRManifest.json
Enabling developer mode of Google Chrome by manipulating the choice file positioned at:
%LOCALAPPDATApercentGoogleChromeUser DataDefault
Acquiring the Google Chrome executable path by accessing the registry, on this case it accesses:
SOFTWAREMicrosoftWindowsCurrentVersionApp Pathschrome.exe
Launching Google Chrome
Invoking Home windows APIs akin to GetForegroundWindow, SetClipboardData, and keybd_event, to load a malicious Chrome extension by simulating a person set up, it:
Masses chrome://extensions into the clipboard and pastes it by sending Ctrl+V keystrokes
Sends Tab keystrokes to pick the Load unpacked possibility
Masses the trail to the OPR folder into the clipboard and pastes it by sending Ctrl+V keystrokes
This malicious extension tries to retrieve any credentials that the sufferer submits to a URL by studying the values contained in the type tag earlier than they’re despatched. These credentials are saved in Chrome’s native storage with the important thing batata13 and their corresponding URL, the place the credentials are despatched, with the important thing batata14. This data is exfiltrated to a special URL positioned within the international variables of the payload. In our pattern this URL was:
https://pronews[.]icu/gtwwfggg/get.php?motion=gc1
Determine 12 reveals the put in malicious Chrome extension.
Determine 12. Malicious extension created by the malware
Determine 13 and Determine 14 are screenshots respectively displaying the Manifest.json and the Major.js (deobfuscated) supply code.
Determine 13. Manifest file of the malicious extension
Determine 14. Major.js file with malicious code deobfuscated
Overlaps and variations with different campaigns
We in contrast the habits of our analyzed pattern in opposition to different posts and documented campaigns like Operation Manul and Darkish Caracal and there are some similarities, like:
The payloads use the identical encryption algorithm for communication with the C&C server, AES in CFB mode.
The encrypted data despatched to the C&C server makes use of the string suffix &&& on the finish of it.
The payloads use the ~! suffix string as a delimiter for the data despatched or acquired.
Two samples included within the Operation Manul report (SHA-1: ADB7FC1CC9DD76725C1A81C5F17D03DE64F73296 and 916DF5B73B75F03E86C78FC3D19EF5D2DC1B7B92) appear to be linked to the Bandidos marketing campaign, based on our telemetry information. The marketing campaign ID for these samples (January 2015 v3 and JUNE 2015 TEAM) present how far again in time the campaigns go.
All of the samples included in Verify Level’s report as “Full Model” the truth is goal Venezuela and are a part of the Bandidos marketing campaign.
The dropper makes use of the method hollowing method to inject the payloads.
We additionally discovered some variations, displaying adjustments to the malware through the years, like:
The dropper, for this marketing campaign, modified its encryption algorithm from CAST-256 to GOST.
Evidently the malware now has solely two DLLs for all its additional performance as a substitute of the 5 DLLs talked about within the Operation Manul report.
Two new export strategies have been added to the dec.dll, named GenerateOfflineDB and RECSCREEN.
This newest pattern comprises 132 instructions, as a substitute of the 120 instructions talked about in Verify Level’s report.
In contrast to the smaller executables described in Verify Level’s report, that are signed and appear to be a part of a special marketing campaign, these samples are unsigned executables.
There’s a command with the string AVE_MARIA, which may very well be associated to the AVE MARIA (aka Warzone) RAT.
Conclusion
Bandook is a RAT energetic since 2005. Its involvement in numerous espionage campaigns, already documented, reveals us that it’s nonetheless a related instrument for cybercriminals. Additionally, if we contemplate the modifications made to the malware through the years, it reveals us the curiosity of cybercriminals to maintain utilizing this piece of malware in malicious campaigns, making it extra subtle and harder to detect.
Though there are few documented campaigns in Latin America, akin to Machete or Operation Spalax, Venezuela is a rustic that, resulting from its geopolitical scenario, is a possible goal for cyberespionage.
A full and complete listing of Indicators of Compromise (IoCs) and samples could be present in our GitHub repository.
For any inquiries, or to make pattern submissions associated to the topic, contact us at threatintel@eset.com.
Indicators of Compromise (IoCs)
C&C servers
d1.ngobmc[.]com:7891 – 194.5.250[.]103
d2.ngobmc[.]com:7892 – 194.5.250[.]103
r2.panjo[.]membership:7892 – 45.142.214[.]31
pronews[.]icu – 194.36.190[.]73
ladvsa[.]membership – 45.142.213[.]108
Samples
SHA-1ESET detection nameDescription
4B8364271848A9B677F2B4C3AF4FE042991D93DFPDF/TrojanDownloader.Agent.AMFMalicious e-mail
F384BDD63D3541C45FAD9D82EF7F36F6C380D4DDPDF/TrojanDownloader.Agent.AMFMalicious PDF
A06665748DF3D4DEF63A4DCBD50917C087F57A27PDF/Phishing.F.GenMalicious PDF
89F1E932CC37E4515433696E3963BB3163CC4927Win32/Bandok.NATDropper
124ABF42098E644D172D9EA69B05AF8EC45D6E49Win32/Bandok.NATDropper
AF1F08A0D2E0D40E99FCABA6C1C090B093AC0756Win32/Bandok.NATDropper
0CB9641A9BF076DBD3BA38369C1C16FCDB104FC2Win32/Bandok.NATPayload
D32E7178127CE9B217E1335D23FAC3963EA73626Win32/Bandok.NATPayload
5F58FCED5B53D427B29C1796638808D5D0AE39BEWin32/Bandok.NATPayload
1F94A8C5F63C0CA3FCCC1235C5ECBD8504343437–dec.dll (encrypted)
8D2B48D37B2B56C5045BCEE20904BCE991F99272JS/Kryptik.ALBMajor.js
Obtain URLs
https://rebrand[.]ly/lista-de-precios-2021
https://rebrand[.]ly/lista-de-precios-01
https://rebrand[.]ly/Lista-de-Precios
https://rebrand[.]ly/lista-de-precios-actualizada
https://rebrand[.]ly/Lista-de-precio-1-actualizada
https://rebrand[.]ly/Lista-de-precios-2-actualizada
https://rebrand[.]ly/Precios-Actualizados
https://rebrand[.]ly/recibo-de-pago-mes-03
https://rebrand[.]ly/Factura-001561493
https://rebrand[.]ly/Comunicado_Enero
https://rebrand[.]ly/Comunicado-23943983
https://rebrand[.]ly/Cotizacion-de-productos
https://rebrand[.]ly/informacion_bonos_productividad
https://rebrand[.]ly/aviso-de-cobro
https://bit[.]ly/lista-de-precios2
http://bit[.]ly/2yftKk3
https://bitly[.]com/v-coti_cion03
https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMZXG4ZTM/shared/1759328-1-1050/Cotizacion nuevas.rar?ad16ce86ca4bb1ff6ff0a7172faf2e05
https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMRSHA4DA/shared/1744230-1-1028/Listapercent20depercent20Precios.rar?cd05638af8e76da97e66f1bb77d353eb
https://filedn[.]com/lpBkXnHaBUPzXwEpUriDSr4/Lista_de_precios.rar
https://filedn[.]com/l9nI3nYhBEH5QqSeMUzzhMb/Facturas/Lista_de_Precios.rar
Older C&C servers
d1.p2020[.]membership:5670
d2.p2020[.]membership:5671
s1.fikofiko[.]high:5672
s2.fikofiko[.]high:5673
s3.fikofiko[.]high:5674
s1.megawoc[.]com:7891
s2.megawoc[.]com:7892
s3.megawoc[.]com:7893
hellofromtheotherside[.]membership:6792
medialog[.]high:3806
nahlabahla.hopto[.]org:9005
dianaojeil.hopto[.]org:8021
nathashadarin.hopto[.]org:8022
laraasaker.hopto[.]org:5553
mayataboush.hopto[.]org:5552
jhonny1.hopto[.]org:7401
j2.premiumdns[.]high:7402
j3.newoneok[.]high:9903
p2020[.]xyz
vdsm[.]xyz
www.blueberry2017[.]com
www.watermelon2017[.]com
www.orange2017[.]com
dbclave[.]data
panel.newoneok[.]high
MITRE ATT&CK strategies
Word: This desk was constructed utilizing model 9 of the MITRE ATT&CK framework.
TacticIDNameDescription
Preliminary AccessT1566.001Phishing: Spearphishing attachmentBandook operators have used emails with PDF recordsdata hooked up that comprise hyperlinks to obtain malware.
ExecutionT1204.001User Execution: Malicious LinkBandook operators have used malicious hyperlinks to obtain malware.
T1204.002User Execution: Malicious FileBandook operators have tried to get victims to execute malicious recordsdata.
Protection EvasionT1027Obfuscated Recordsdata or informationBandook operators encrypt the payload hidden within the dropper.
T1055.012Process Injection: Course of HollowingBandook operators use course of hollowing to inject the payload into reliable processes.
T1112Modify RegistryBandook operators have tried to change registry entries to cover data.
T1547.001Boot or Logon Autostart Execution: Registry Run keys / Startup FolderBandook operators have tried to create a Run registry key.
DiscoveryT1057Process DiscoveryBandook makes use of Home windows API capabilities to find working processes on sufferer’s machines.
T1083File and Listing DiscoveryBandook operators attempt to uncover recordsdata or folders from a particular path.
CollectionT1025Data from Detachable MediaBandook operators attempt to learn information from detachable media.
T0156.001Input Seize: KeyloggingBandook operators could attempt to seize person keystrokes to acquire credentials.
T1113Screen CaptureBandook can take screenshots from the sufferer’s machine.
T1123Audio CaptureBandook can report audio from the sufferer’s machine.
T1125Video CaptureBandook can report video from the webcam.
Command And ControlT1573.001Encrypted Channel: Symmetric CryptographyBandook makes use of AES for encrypting C&C communications.
ExfiltrationT1041Exfiltration Over C2 channelBandook exfiltrates data over the identical channel used for C&C.
T1048.002Exfiltration Over Various Protocol: Exfiltration Over Uneven Encrypted Non-C2 ProtocolBandook exfiltrates data utilizing a malicious URL by way of HTTPS.