Spanish Users Targeted by Novel Campaign Using an Old Malware Strain

  • A group of actors is targeting Spanish-speaking users with a 14-years old malware strain.
  • The emails used in the campaign pretend to carry financial documents from South American companies.
  • The actors are deploying the RAT to steal sensitive information like user account credentials.

There’s a mass malware distribution campaign going on right now, spreading an old strain called “Bandook” to Spanish-speaking users. The group responsible for this is TA2721 (“Caliente Bandits”), tracked identified by Proofpoint researchers, and while the sophistication of their operations isn’t very high, the scale and activity are impressive. In most cases, the actors masqueraded as companies located in a South American company, sending financial-related emails to the targets.

Source: Proofpoint

The infection chain starts with the arrival of a PDF document via email, with a malicious URL contained in the file. If clicked, a redirection circle begins leading to the download of an encrypted RAR file is delivered onto the recipient’s system. Then, that file unpacks and installs the Bandook RAT locally. The emails and the filenames are all in Spanish, hence the targeting. Also, the RAR is protected with a password that is provided in the PDF file, giving a false sense of privacy to the recipient while also making it harder for some AV tools to catch the threat.

Source: Proofpoint

Proofpoint has noticed the following three C2 domains, which were used for extensive periods of time.

  • “s1[.]megawoc[.]com” was used in January
  • “d1[.]ngobmc[.]com” was used from March to June
  • “r1[.]panjo[.]club” was used since June

It means that the actors didn’t have to deal with reporting and blacklisting problems, keeping the same C2 infrastructure for entire months.

The use of Bandook is a rare occurrence in the malware distribution world, as this is a RAT first seen in the wild in 2007, so it’s considered pretty obsolete at this point. However, it is worth noting that Bandook was never entirely gone from the cyberthreat space. Last year, we saw it being distributed globally again through macro-ridden documents arriving via email. It is a publicly available malware, so it’s easy to source and deploy, even if passing it through AV protections is a hopeless procedure for the actors that choose to use it.

As for what this old RAT can do, capturing screenshots, video, audio, as well as performing keylogger duties are among its most powerful features. Bandook attempts to hide from defense tools by using base64 string encoding, using “Process Hollowing” for the payload injection, and also by using AES encryption for the C2 communications. Proofpoint reports that all samples of the malware sourced from the “Caliente Bandits” campaign use the same hardcoded AES key, so the actors appear to be using an off-the-shelf tool.

REVIEW OVERVIEW

Latest

Intel Revises Manufacturing Process Development Roadmap and it Looks Promising

Intel declares ready to leave the ear of massive delays behind and finally get back on track.The American chipmaker promises to release...

Kazakhstan Blocks LinkedIn Over Illegal Casino Advertisements and Fake Accounts

Kazakhstan says LinkedIn violated its online advertisement rules and posted casino ads on the platform.For this reason and also for the existence...

Monero Bug May Have Exposed the Privacy of Transactions for a Small Number of Users

Monero transactions could be de-obfuscated thanks to a nasty bug in the decoy algorithm.The flaw affects transactions made quickly after a user...