Bandook Trojan was notorious in its 2015/2017 malware campaigns, which operations were dubbed "Operation Manul” and “Dark Caracal“ respectively.

Now, in a new report published by Check Point Research, hackers affiliated with Dark Caracal had deploy "dozens of digitally signed variants" of Bandook Windows Trojan to again target financial, healthcare, education, energy industry, and legal institutions located across Indonesia, Italy, Germany, Singapore, Switzerland, Turkey, and the United States.

The group which is believed to have ties with the Kazakh and Lebanese governments unleashed a new wave of attacks against these multitude of industries with a crafty retooled version of the 13-year-old backdoor Trojan.

How the Bandook Malware Chain has Evolved?



The malware chain used by the attackers has evolved from the early version, with the full infection chain of the attack broken down into three main stages.



While the initial stage kicks off many other infection chains, with a malicious Word document inside a ZIP file. And when the document is opened, it downloads malicious macros using the external template feature. The macros in turn executes the second stage of the attack, which is a PowerShell script encrypted in the original Word document.

The final stage is when the PowerShell script downloads and executes the Bandook backdoor. And the attackers employ a combination of techniques, with encrypted data embedded inside a shape object within the original document, and accessed from the external template using a particular code.

What Hinders Detection and Analysis of Bandook Operations



The operators behind the malicious infrastructures dubbed “Operation Manul” and “Dark Caracal” are very much still operational, and ready to unleash their cyber attacks.

Albeit, the group behind the infrastructure in these attacks seems to have evolved over time, with several layers of security, valid certificates and other techniques, to hinder detection and analysis of its operations.

Bandook Windows Trojan: Digitally Signed Variants again targets Multiple Sectors

Bandook Trojan was notorious in its 2015/2017 malware campaigns, which operations were dubbed "Operation Manul” and “Dark Caracal“ respectively.

Now, in a new report published by Check Point Research, hackers affiliated with Dark Caracal had deploy "dozens of digitally signed variants" of Bandook Windows Trojan to again target financial, healthcare, education, energy industry, and legal institutions located across Indonesia, Italy, Germany, Singapore, Switzerland, Turkey, and the United States.

The group which is believed to have ties with the Kazakh and Lebanese governments unleashed a new wave of attacks against these multitude of industries with a crafty retooled version of the 13-year-old backdoor Trojan.

How the Bandook Malware Chain has Evolved?



The malware chain used by the attackers has evolved from the early version, with the full infection chain of the attack broken down into three main stages.



While the initial stage kicks off many other infection chains, with a malicious Word document inside a ZIP file. And when the document is opened, it downloads malicious macros using the external template feature. The macros in turn executes the second stage of the attack, which is a PowerShell script encrypted in the original Word document.

The final stage is when the PowerShell script downloads and executes the Bandook backdoor. And the attackers employ a combination of techniques, with encrypted data embedded inside a shape object within the original document, and accessed from the external template using a particular code.

What Hinders Detection and Analysis of Bandook Operations



The operators behind the malicious infrastructures dubbed “Operation Manul” and “Dark Caracal” are very much still operational, and ready to unleash their cyber attacks.

Albeit, the group behind the infrastructure in these attacks seems to have evolved over time, with several layers of security, valid certificates and other techniques, to hinder detection and analysis of its operations.

No comments