Cybersecurity researchers have discovered new malware targeting Windows devices, so be on the lookout.
Experts at Fortinet’s FortiGuard Labs claim to have found a previously undetected version of a remote access Trojan called Bandook.
This malware was first detected in 2007, TheHackerNews reports, when it was described as “off-the-shelf malware with a wide range of features.” However, the end goal was always the same: grant operators remote access to infected endpoints.
Bandook akimbo
The latest version was seen being distributed via phishing emails. Apparently, the attackers are sending malicious PDF files that include a link to a password-protected .7z file.
“After the victim extracts the malware with the password from the PDF file, the malware injects its payload into msinfo32.exe,” explained security researcher Pei Han Liao. Msinfo32 is a legitimate Windows binary responsible for collecting system information. It is generally used to diagnose different computer problems.
Bandook, however, changes the Windows Registry to establish persistence and then contacts its command and control (C2) server for further instructions. Typically, the instructions include a stage two payload that grants full access to attackers.
“These actions can be broadly classified as file manipulation, registry manipulation, downloads, information theft, file execution, invoking functions on DLL files from C2, taking control of the victim’s computer, killing processes, and uninstalling malware,” concluded Han Liao.
Bandook, apparently named after the word for “gun” in Hindi, has been disappearing and reappearing over the years. In 2020, Checkpoint researchers found “dozens of digitally signed variants of this once-commodity malware,” adding that there has been an “unusually large variety of targeted sectors and locations.”
“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed internally or used by a single entity, but is instead part of an offensive infrastructure sold by a third party to governments and threat actors around the world, to facilitate cyber operations. “offensive,” say the researchers. he said at the time.
