ESET researchers revealed on Thursday that a new espionage campaign was launched against companies located mostly in Venezuela.
Threat actor dubbed Bandidos leverages a variant of Bandook malware written Delphi and C++ and primarily targets corporate networks in manufacturing, construction, healthcare, software services, and retail sectors.
Bandook’s history shows that it was first sold as a commercial remote access Trojan in 2005.
The Dark Caracal group, which is believed to be a government-sponsored cyber-mercenary force, has been circulating various variants of its this malware since 2015 on behalf of government interests in Kazakhstan and Lebanon.
Last year, Check Point revealed three new Bandook samples operated by the same threat actor that were designed to attack various industries and governments in Europe, South Asia, and the U.S.
The latest attack chain analyzed by ESET begins with emails containing a PDF attachment that looks like a legitimate business document. It sends out a compressed archive that reveals a malware payload hosted on Google Cloud, SpiderOak, or pCloud.
The latest Bandook variant has 132 commands, according to the researchers, which indicates that the criminal group behind it is pushing the envelope with their malicious tools.
“Especially interesting is the ChromeInject functionality,” said ESET researcher Fernando Tavella. “When the communication with the attacker’s command and control server is established, the payload downloads a DLL file, which has an exported method that creates a malicious Chrome extension. The malicious extension tries to retrieve any credentials that the victim submits to a URL. These credentials are stored in Chrome’s local storage.”
The payload can execute various commands to control the machine’s cursor, modify the directory contents, terminate running processes, download files, install malicious DLLs, and even uninstall itself.
“[Bandook’s] involvement in different espionage campaigns […] shows us that it is still a relevant tool for cybercriminals,” the researchers concluded. “Also, if we consider the modifications made to the malware over the years, it shows us the interest of cybercriminals to keep using this piece of malware in malicious campaigns, making it more sophisticated and more difficult to detect.”
