The latest version of Bandook steals sensitive documents and credentials from corporate networks, creates a malicious Chrome extension, and misuses URL shorteners like Rebrandly and Bitly
BRATISLAVA, MONTREAL – ESET Research has recently uncovered a new and still active campaign that uses more advanced versions of the old crimeware Bandook to spy on its victims. The ongoing campaign is targeting corporate networks in Spanish-speaking countries, with 90% of ESET telemetry detections in Venezuela. ESET researchers have found new functionality and changes to Bandook. Due to the malware used and the targeted locale, ESET chose to name this campaign Bandidos.
ESET has seen more than 200 detections for the malware droppers in Venezuela in 2021; however, a specific vertical targeted by this malicious campaign could not be identified. According to telemetry data, the main interests of the attackers are corporate networks in Venezuela: some in manufacturing companies, and others in construction, healthcare, software services and even retail. Given the capabilities of the malware and the kind of information that is exfiltrated, it seems that the main purpose of Bandidos is espionage.
The prospective victims receive malicious emails with a PDF attachment. The PDF file contains a link to download a compressed archive and the password to extract it. Inside the archive is an executable file: a dropper that injects Bandook into an Internet Explorer process. The attackers use URL shorteners such as Rebrandly or Bitly in their PDF attachments. The shortened URLs redirect to cloud storage services such as Google Cloud Storage, SpiderOak or pCloud, from where the malware is downloaded. The main purpose of the dropper is to decode, decrypt and run the payload, and to make sure that the malware persists in a compromised system.
“Especially interesting is the ChromeInject functionality,” says Fernando Tavella, an ESET researcher who investigated the Bandidos campaign. “When the communication with the attacker’s command and control server is established, the payload downloads a DLL file, which has an exported method that creates a malicious Chrome extension. The malicious extension tries to retrieve any credentials that the victim submits to a URL. These credentials are stored in Chrome’s local storage.”
Bandook is an old remote access trojan. There are references to it being available online as early as 2005, though its use by organised groups was not documented until 2016. In 2016, it was reportedly used to target journalists and dissidents in Europe. Then, in 2018, it was used to attack new targets, such as educational institutions, lawyers and medical professionals. Finally, in 2020, it was seen in attacks against multiple sectors, including government, financial, IT and energy.
“Previous reports have mentioned that the developers of Bandook might be developers for hire, which makes sense given the various campaigns with different targets seen through the years. We must note, however, that in 2021 we have seen only one active campaign: the one targeting Spanish-speaking countries that we document here. It shows though that it is still a relevant tool for cybercriminals,” opines Matías Porolli, an ESET researcher who worked on the analysis with Tavella.
Overview of a typical attack in the Bandidos campaign
For more technical details about Bandidos, read the blogpost “Bandidos at large: a spying campaign in Latin America” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multi-factor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defences in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centres worldwide, working in support of our shared future. For more information, visit our website or follow us on LinkedIn, Facebook, and Twitter.