Cybersecurity researchers have discovered a new piece of malware targeting Windows devices, so be on the lookout.
Experts from Fortinet's FortiGuard Labs claim to have found a previously undetected version of a remote access trojan called Bandook.
This malware was first noticed in 2007, The HackerNews reports, when it was described as an “off-the-shelf malware with a wide range of features.” However, the end goal was always the same: give the operators remote access to infected endpoints.
Bandook akimbo
The latest version was distributed via phishing emails. Apparently, the attackers send malicious PDF files that contain a link to a password-protected .7z archive.
“After the victim extracts the malware from the PDF file using the password, the malware injects its payload into msinfo32.exe,” explains security researcher Pei Han Liao. Msinfo32 is a legitimate Windows binary tasked with collecting system information. It is generally used to diagnose various computer problems.
However, Bandook modifies the Windows registry to establish persistence and then contacts the command-and-control (C2) server for further instructions. Typically, the instructions contain a phase two payload that grants full access to the attackers.
“These actions can be broadly categorized as file manipulation, registry manipulation, downloading, information stealing, file execution, calling functions in DLLs from the C2, controlling the victim's computer, process killing, and removing the malware,” Han Liao concluded.
Bandook, apparently named after the word for 'gun' in Hindi, has disappeared and reappeared over the years. In 2020, Checkpoint researchers found “dozens of digitally signed variants of this once-common malware,” adding that there was an “unusually wide variety of targeted industries and locations.”
“During the latest wave of attacks, we have again identified an unusually wide variety of targeted sectors and locations. This further strengthens an earlier hypothesis that the malware is not internally developed and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors around the world, to facilitate offensive cyber operations.” , the researchers said. said at the time.