Once the payload establishes a connection, it sends basic information from the victim’s machine, such as computer name, username, OS version, infection date and malware version. Then it establishes a TCP connection to that address using a four-digit port number that changes according to the campaign. The credentials are saved in Chrome's local storage.ĮSET notes that the communication begins by obtaining the IP address from a domain (d2.ngobmccom) located in global variables. This extension attempts to obtain any credentials that the victim adds to a URL. When a successful communication with the command-and-control server is established, the DLL creates a malicious Chrome extension. The payload entails downloading a malicious DLL. The updated malware has ChromeInject functionality, which is aimed at stealing credentials, ESET says. The main commands include listing directory contents, taking screenshots, controlling the cursor on the infected machines, manipulating files and installing malicious DLLs.
The latest ESET report claims to have uncovered 12 more commands, which shows that attackers have improved the malware’s capabilities (see: Researchers Find Updated Variants of Bandook Spyware). The shortened URLs redirect to cloud storage services such as Google Cloud Storage, SpiderOak, or pCloud, from where the malware is downloaded," the researchers note.Ĭheck Point Research in 2020 discovered around 120 commands in Bandook. "The attackers use URL shorteners such as Rebrandly or Bitly in their PDF attachments. Once extracted, the archive contains an executable file: a dropper that injects Bandook into an Internet Explorer process. One example of a phishing email lure appeared to be a service announcement from a Dublin company, with an apparent business PDF enclosed. The attack begins with victims receiving malicious emails with a PDF attachment containing a shortened URL to download a compressed archive and the password to extract it. "We also found that this campaign targeting Venezuela, despite being active since at least 2015, has somehow remained undocumented." Updated Malware "When comparing the malware used in this campaign with what was previously documented, we found new functionality and changes to this malware, known as Bandook," ESET says. It aims to spy on construction, manufacturing, healthcare, retail and software services companies. The campaign dubbed Bandidos targets corporate networks in Spanish-speaking countries, with 90% of the detections in Venezuela, ESET reports. See Also: OnDemand | Navigating the Difficulties of Patching OT Researchers at the security firm ESET have uncovered an ongoing espionage campaign using an updated variant of Bandook spyware to target corporate networks in Venezuela and other nations in Latin America.
Overview of a typical Bandook attack (Source: ESET)
0 kommentar(er)
