Bandook malware: What it is, how it works and how to prevent it
Bandook malware is a remote access trojan (RAT) first seen in 2007 and active for several years.
Bandook RAT, written in both Delphi and C++, was first seen as a commercial RAT and developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.
According to Check Point research, Bandook was last spotted in 2015 and 2017-2018 in the “Operation Manul” and “Dark Caracal” campaigns, respectively. The malware then all but disappeared from the threat landscape — but it’s now having a resurgence.
Dozens of digitally-signed variants of Bandook are being disseminated in an unusually large variety of sectors and locations. Government, financial, energy, food industry, healthcare, education, IT and legal institutions are the targeted sectors. Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey and the U.S have all been impacted countries by this new wave.
As several sectors and countries have been targeted, it is suspected that the malware is not developed by a single entity but by an offensive infrastructure and is being sold to governments and threat actors worldwide.
Become a certified reverse engineer!
How Bandook is distributed
The Bandook infection process chain contains three phases. The process begins with phishing via a Microsoft Word document with embedded code delivered inside ZIP file format.
Figure 1: Bandook phishing document used to convince the user to enable the macros.
According to the CheckPoint analysis, this malware used other .doc templates and even external templates with macros.
Figure 2: Examples of lure documents and external templates with macros.
An interesting point about Bandook malspam documents is after a certain amount of time, criminals change the malicious external template to benign to bypass defenses and deliver the best possible scenario.
The Bandook external template and VBA macro
Once opened, malicious VBA macros are downloaded using the external template via URL
shortening web services like TinyURL or bit.ly.
Figure 3: bit.ly URL inside the doc file that downloads the external template with VBA macros.
After that, the macro code drops and executes the second stage — a PowerShell payload encrypted inside the original Word document. Finally, the PowerShell script downloads and executes the last stage of Bandook: the backdoor. The following image shows the high-level diagram of this threat.
Figure 4: Full chain of Bandook malware.
Bandook second stage — the PowerShell loader
As described in Figure 4, the PowerShell loader (fmx.ps1) decodes and executes a base64 encoded PowerShell stored in the second dropped file (sdmc.jpg). This payload then downloads a zip archive containing four files from Cloud services such as Dropbox, Bitbucket or AWS S3 bucket. Next, the archive is stored in the user’s public folder and the files are extracted.
Figure 5: Dropped files into the user’s public folder.
The three images are used to generate the next payload in the same folder. The files a.png and b.png are two images, but the untitled.png, unlike the other two files, is in a valid image format. It contains a hidden RC4 function encoded in the RGB values of the pixels. This is a technique used by Bandook to masquerade its presence.
After that, the PowerShell script executes the malware, opens draft.docx, and deletes all previous artifacts from the public folder.
Draft.docx is a benign document that convinces the victim that the document is no longer available and that the overall execution was successful.
Last stage — Bandook itself
The final payload is a variant of Bandook which starts with a loader to create a new instance of an Internet Explorer process and inject a malicious payload into it. Here, a well-known technique called Process Hollowing is used to load into the memory a loader written in Delphi. Delphi is a programming language used widely by criminals during malicious operations, including Latin American trojans such as Javali.
The payload contacts the C2 server and sends basic information about the infected machine and waits for additional commands from the server. In this wave, Bandook used a custom version of the malware with only 11 supported commands:
@0001 Download and Execute file via HTTP
@0002 Download and Execute file via a raw TCP socket
@0003 Take a screenshot
@0004 List drives
@0005 List files
@0006 Upload file
@0007 Download file
@0008 Shell execute
@0009 Move File
@0010 Delete file
@0011 Get Public IPBandook have been observed in 2019 and 2020 using valid and signed code certificates to bypass defenses.
Figure 6: Signed Bandook samples discovered by MHT.
In this wave, valid Certum certificates were also used to sign the Bandook malware executable.
Figure 7: Valid signature information of a newly discovered Bandook sample.
In general, there are three variants of Bandok that are currently available in the wild:
- A full-fledged version with 120 commands (not signed)
- A full-fledged version (single sample) with 120 commands (signed)
- A slimmed-down version with 11 commands (signed)
With these three variants in place, the operators desire to reduce the malware’s footprint and minimize their chances of an undetected campaign against high-profile targets increases.
Resurgence of Bandook
Bandook RAT is an old piece of malware that reemerged last year with three different variants and available commands to reduce the chances of its detection. Using a sophisticated loader with Word external templates, the malware tries to bypass initial detection bypassing.
Code signing certificates are also used to evade security, as that is seen as a point of trust and allows it to bypass user account control (UAC) when it prompts the user to execute the file.
Become a certified reverse engineer!
There is no perfect formula to block malicious activity and trojans, but some measures can be taken to prevent the exploration of these kinds of scenarios:
- Train users to be aware of potential social engineering and how to handle them in the right way
- Do not trust emails from untrusted sources
- Do not open links and attachments from untrusted sources
- Ensure that software, applications and systems are up to date
- Use endpoint protection solutions and updated antivirus to prevent malicious infections
- Use vulnerability management and monitoring systems to identify potential unpatched flaws and to detect incidents in real-time
- Block the indicators of compromise (IoCs) in the corresponding security devices
- Perform cybersecurity audits and mitigate any weaknesses discovered to prevent attacks in the wild, both from external and internal perspectives
Mitre Att&ck matrix
Sources
Bandook analysis, CheckPoint
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Bandook malware: What it is, how it works and how to prevent it
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis