Cybersecurity researchers have discovered a new piece of malware targeting Windows devices, so be on the lookout.
Experts from Fortinet’s FortiGuard Labs claim to have found a previously undetected version of a remote access trojan called Bandook.
This malware was first spotted in 2007, TheHackerNews reports, when it was described as an “off-the-shelf malware with a wide range of features.” The end goal was always the same, though – to grant the operators remote access to infected endpoints.
Bandook akimbo
The latest version was seen being distributed via phishing emails. Apparently, the attackers are sending out malicious PDF files that embed a link to a password-protected .7z archive.
“After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe,” explained security researcher Pei Han Liao. Msinfo32 is a legitimate windows binary tasked with gathering system information. It is generally used to diagnose different computer issues.
Bandook, however, changes the Windows Registry to establish persistence, and then reaches out to its command-and-control (C2) server to ask for further instructions. Usually, the instructions include a stage-two payload which grant full access to the attackers.
“These actions can be roughly categorized as file manipulation, registry manipulation, download, information stealing, file execution, invocation of functions in DLLs from the C2, controlling the victim’s computer, process killing, and uninstalling the malware,” Han Liao concluded.
Bandook, apparently named after the word for “gun” in Hindi, has been disappearing and reappearing throughout the years. In 2020, Checkpoint’s researchers found “dozens of digitally signed variants of this once commodity malware,” adding that there’s been an “unusually large variety of targeted sectors and locations.”
“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations,” the researchers said at the time.
