Bandook Operators Armed with New Version of Latin America Espionage Malware
Cybersecurity researchers from ESET spoke about an ongoing espionage campaign targeting corporate networks in Spanish-speaking countries, especially Venezuela.
The campaign was dubbed Bandidos due to the use of an updated version of the Bandook malware. The main targets of attackers are corporate networks in Latin America, covering manufacturing, construction, healthcare, software services and retail.
The malicious campaign begins by sending potential victims an e-mail containing a PDF file that contains a shortened URL to download a compressed archive from Google Cloud, SpiderOak or pCloud, and a password to retrieve it. Extracting the archive launches the downloader to decode and inject the Bandook malware into the Internet Explorer process.
The latest version of Bandook analyzed by ESET contains 132 commands, compared to 120 commands in other versions of the malware. This means that the criminal group is constantly modifying and improving its malicious tools.
The experts noted one of the functionality called ChromeInject. When communication with the attacker’s C&C server is established, the payload loads a DLL file that creates a malicious extension in Google Chrome. The malicious extension tries to obtain any credentials that the victim enters into the malicious URL.
Some of the basic commands the payload can execute include listing directory contents, manipulating files, taking screenshots, controlling the cursor on the victim’s device, installing malicious DLLs, terminating running processes, downloading files from a specific URL, sending the results of an operation to a remote server and even self-removal from the infected system.
Catch up on more articles here
Follow us on Twitter here