Spanish Users Targeted by Novel Campaign Using an Old Malware Strain

  • A group of actors is targeting Spanish-speaking users with a 14-years old malware strain.
  • The emails used in the campaign pretend to carry financial documents from South American companies.
  • The actors are deploying the RAT to steal sensitive information like user account credentials.

There’s a mass malware distribution campaign going on right now, spreading an old strain called “Bandook” to Spanish-speaking users. The group responsible for this is TA2721 (“Caliente Bandits”), tracked identified by Proofpoint researchers, and while the sophistication of their operations isn’t very high, the scale and activity are impressive. In most cases, the actors masqueraded as companies located in a South American company, sending financial-related emails to the targets.

Source: Proofpoint

The infection chain starts with the arrival of a PDF document via email, with a malicious URL contained in the file. If clicked, a redirection circle begins leading to the download of an encrypted RAR file is delivered onto the recipient’s system. Then, that file unpacks and installs the Bandook RAT locally. The emails and the filenames are all in Spanish, hence the targeting. Also, the RAR is protected with a password that is provided in the PDF file, giving a false sense of privacy to the recipient while also making it harder for some AV tools to catch the threat.

Source: Proofpoint

Proofpoint has noticed the following three C2 domains, which were used for extensive periods of time.

  • “s1[.]megawoc[.]com” was used in January
  • “d1[.]ngobmc[.]com” was used from March to June
  • “r1[.]panjo[.]club” was used since June

It means that the actors didn’t have to deal with reporting and blacklisting problems, keeping the same C2 infrastructure for entire months.

The use of Bandook is a rare occurrence in the malware distribution world, as this is a RAT first seen in the wild in 2007, so it’s considered pretty obsolete at this point. However, it is worth noting that Bandook was never entirely gone from the cyberthreat space. Last year, we saw it being distributed globally again through macro-ridden documents arriving via email. It is a publicly available malware, so it's easy to source and deploy, even if passing it through AV protections is a hopeless procedure for the actors that choose to use it.

As for what this old RAT can do, capturing screenshots, video, audio, as well as performing keylogger duties are among its most powerful features. Bandook attempts to hide from defense tools by using base64 string encoding, using “Process Hollowing” for the payload injection, and also by using AES encryption for the C2 communications. Proofpoint reports that all samples of the malware sourced from the “Caliente Bandits” campaign use the same hardcoded AES key, so the actors appear to be using an off-the-shelf tool.

How to Watch European Beach Volleyball Championships 2022 Online From Anywhere
The 2022 European Championships are in full swing, and the European Beach Volleyball Championships are about to reach crunch time. With 128...
How to Watch Homicide Hunter: Never Give Up Online From Anywhere
Lt. Joe Kenda enthralled audiences with tales from the hundreds of murder cases he investigated throughout the 9 seasons of Homicide Hunter....
How to Watch Hotties Online From Anywhere: Stream the Blind Date Food Competition Series
If you like blind date reality shows as much as cooking competitions and extremely spicy food, you'll most probably love this new...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari