The latest version of Bandook steals sensitive documents and credentials from corporate networks, creates a malicious Chrome extension, and misuses URL shorteners like Rebrandly and Bitly
BRATISLAVA, MONTREAL – ESET Research has recently uncovered a new and still active campaign that uses more advanced versions of the old crimeware Bandook to spy on its victims. The ongoing campaign is targeting corporate networks in Spanish-speaking countries, with 90% of ESET telemetry detections in Venezuela. ESET researchers have found new functionality and changes to Bandook. Because of the malware used and the targeted locale, ESET chose to name this campaign Bandidos.
ESET has seen more than 200 detections for the malware droppers in Venezuela in 2021; however, a specific vertical targeted by this malicious campaign could not be identified. According to telemetry data, the main interests of the attackers are corporate networks in Venezuela: some in manufacturing companies, and others in construction, healthcare, software services, and even retail. Given the capabilities of the malware and the kind of information that is exfiltrated, it seems that the main purpose of Bandidos is espionage.
The prospective victims receive malicious emails with a PDF attachment. The PDF file contains a link to download a compressed archive and the password to extract it. Inside the archive there is an executable file: a dropper that injects Bandook into an Internet Explorer process. The attackers use URL shorteners such as Rebrandly or Bitly in their PDF attachments. The shortened URLs redirect to cloud storage services such as Google Cloud Storage, SpiderOak, or pCloud, from where the malware is downloaded. The main purpose of the dropper is to decode, decrypt, and run the payload and to make sure that the malware persists in a compromised system.
“Especially interesting is the ChromeInject functionality,” says Fernando Tavella, an ESET researcher who investigated the Bandidos campaign. “When the communication with the attacker’s command and control server is established, the payload downloads a DLL file, which has an exported method that creates a malicious Chrome extension. The malicious extension tries to retrieve any credentials that the victim submits to a URL. These credentials are stored in Chrome’s local storage.”
Bandook is an old remote access trojan. There are references to it being available online as early as 2005, though its use by organized groups was not documented until 2016. In 2016, it was reportedly used to target journalists and dissidents in Europe. Then, in 2018, it was used to attack new targets, such as educational institutions, lawyers, and medical professionals. Finally, in 2020, it was seen in attacks against multiple sectors, including government, financial, IT, and energy.
“Previous reports have mentioned that the developers of Bandook might be developers for hire, which makes sense given the various campaigns with different targets seen through the years. We must note, however, that in 2021 we have seen only one active campaign: the one targeting Spanish-speaking countries that we document here. It shows though that it is still a relevant tool for cybercriminals,” opines Matías Porolli, an ESET researcher who worked on the analysis with Tavella.
Overview of a typical attack in the Bandidos campaign
For more technical details about Bandidos, read the blogpost “Bandidos at large: a spying campaign in Latin America” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.