[MART] - Daily Diary #549 - Meet Bandook RAT

CTAS-MAT ctas-mat at appgate.com
Mon Jul 11 23:29:16 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

07/11/2022 - Diary entry #549:

Active since 2005, Bandook is a Remote Access Trojan used by different threat actors worldwide in espionage campaigns and most recently to target victims from Spanish-speaking countries. The last campaign is active since 2020, analyzed in the past weeks by our team.

Bandook is currently distributed via spam as a password-protected RAR (compressed) file to avoid detection. Disguised as billing documents file names, after execution it loads an embedded and encrypted payload that is injected into the memory of a legitimate process. Next, it downloads additional files from a URL, and depending on a previously configured parameter, it performs specific actions on the machine. Then, it establishes a connection with the C2.

Among its capabilities, Bandook can execute arbitrary commands, upload files to the C2, take screenshots, record the screen, download and execute additional payloads, interact with Microsoft Skype, inject browser extension on Google Chrome, and perform a DDOS attack, among many others.

Curiously, in the campaign analyzed by our team, the C2 server is active since January this year. This is very unusual, because most C2 domains remain active only for a short period of time, having the attackers to rely on multiple servers and redundancy. Having a single C2 server alive for such a long period means probably lots of users are affected.

To be protected against Bandook, users should not download files from unknown senders via e-mail, and keep their AV solutions up to date.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220711/1e4d1259/attachment.htm>

More information about the MART mailing list