Researchers Find Updated Variants of Bandook SpywareCheck Point: New Strains Active Around the World
Check Point Research has identified new variants of the long-dormant Bandook spyware that are being used for espionage campaigns across the world.
Bandook is a commodity Trojan backdoor that researchers first discovered in 2007 but was last spotted in wide circulation in 2018, the security firm says in a new report.
The malware is believed to have originated with the Lebanese General Security Directorate in Beirut, an intelligence agency. It’s been linked to espionage attacks targeting journalists and political dissidents in the region, according to security firm Lookout.
The malware apparently was dormant for the last three years until Check Point researchers discovered new digitally signed Bandook versions earlier this year, the report notes. Since then, the malware has been used to target government, financial, energy, food industry, healthcare, education, IT and legal organizations in the U.S, Germany, Italy, Switzerland, Singapore, Cyprus, Chile and Indonesia, the researchers say.
"In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations," the report notes. "This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide to facilitate offensive cyber operations."
Check Point researchers note the latest Bandook versions are spread as malicious Microsoft Word documents within a zip file that is disguised to appear as though it originated with cloud-based services, such as Office365, OneDrive or Azure.
Some of the lures observed by the Check Point researchers include files that spoof government-issued documents, such as passport and notarized documents.
"For example, one of the documents that specifically got our attention depicts an Office365 logo and a preview of a certificate issued by the government of Dubai," according to the Check Point report. "JAFZA - Jebel Ali Free Zone, featured at the top of the document, is an industrial area surrounding the port of Jebel Ali in Dubai, where more than 7,000 global companies are based."
When the victims' download and click on "enable content" to view the documents, a second-stage malware strain is downloaded, which then executes PowerShell scripts, the report says.
"The decoded PowerShell script downloads a zip file containing four files from a cloud service such as Dropbox, Bitbucket or an [AWS] S3 bucket. The zip file is stored in the user’s Public folder, and the four files are locally extracted," the report notes.
One of these files is a PNG that contains hidden components, which then downloads the last stage malware component - the Bandook remote access Trojan. Once installed on a device, the malware can take screenshots, download and upload files and execute other commands, the report notes.
Although initially developed as a remote access Trojan, or RAT, Check Point researchers note the Bandook malware has undergone several iterations since its source code was previously leaked.
The researchers note, however, the new variants are not developed from the initial Bandook source codes leaked in 2007, but from other malware source code.
"We discovered that the very first of the samples was compiled in March 2019 and supported around 120 commands," the report notes. "A sample compiled a few days later - a different signed Bandook variant (with only 11 commands) utilized the very same [command-and-control] server. Since then, all signed samples use only 11 basic commands. The shared [command-and-control] provides clear evidence that both the slimmed-down and the fully-fledged variants of the malware are operated by a single attacker."
The researchers add that all the new Bandook variants appear to have been developed by the same operator because they use the same AES encryptions and command and control servers.
"It’s not uncommon to see threat actors reuse old malware," says Hank Schless, a senior manager for security solutions at Lookout, which previously studied the malware during a 2017 and 2018 campaign called Dark Caracal. “They do this in hopes that updated security solutions might not detect an old malware family."
Although Bandook has been active for the past 13 years, Check Point researchers note its capabilities are still in the developmental stage and are limited when compared to other spyware, such as NSO's Pegasus (see: Judge Rules Facebook's Lawsuit Against NSO Group Can Proceed).