Security researchers at Check Point have found a new wave of campaigns against multiple industries worldwide that makes use of a strain of a 13-year old backdoor Trojan called Bandook.
Bandook, which was featured in 2015 and 2017 campaigns, dubbed “Operation Manul” and “Dark Caracal,“ respectively were assumed to be carried out by the Kazakh and the Lebanese governments.
Dark Caracal’s use of Bandook RAT to execute espionage on a global scale was first documented by the Electronic Frontier Foundation (EFF) and Lookout in early 2018.
The group has been linked to the Lebanese General Directorate of General Security (GDGS), deeming it a nation-state level advanced persistent threat.
Over the past year, dozens of digitally signed variants of this malware started to reappear in the threat landscape.
The researchers said that in the recent wave of attacks, an unusually large variety of targeted sectors and locations were found. This suggests that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.
The new strain of Bandook has come with added efforts to prevent detection and analysis.
The researchers stated that the infection chain is a three-stage process that begins with a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file which when opened, downloads malicious macros. It eventually proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.
In the last stage of the attack, this PowerShell script is used to download encoded executable parts from cloud storage services like Dropbox or Bitbucket in order to assemble the Bandook loader, which then takes the responsibility of injecting the RAT into a new Internet Explorer process.
The Bandook RAT has all the capabilities associated with backdoors. It establishes contact with a remotely-controlled server to receive additional commands ranging from capturing screenshots to carrying out various file-related operations.
However, in this attack, the threat actor used a custom, slimmed-down version of the malware having only 11 supported commands.
In the new trimmed version, not only valid certificates issued by Certum were used to sign, but two more samples — full-fledged digitally-signed and unsigned variants — were also found.
According to the researchers, the group behind this, even though are not as capable, or as practiced in operational security like some other offensive security companies, they might improve over time, adding several layers of security, valid certificates and other techniques, to prevent detection and analysis of its operations.