Malware analysis

Bandook malware: What it is, how it works and how to prevent it

Pedro Tavares
March 17, 2021 by
Pedro Tavares

Bandook malware is a remote access trojan (RAT) first seen in 2007 and active for several years.

Bandook RAT, written in both Delphi and C++, was first seen as a commercial RAT and developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.

According to Check Point research, Bandook was last spotted in 2015 and 2017-2018 in the “Operation Manul” and “Dark Caracal” campaigns, respectively. The malware then all but disappeared from the threat landscape — but it’s now having a resurgence.

Dozens of digitally-signed variants of Bandook are being disseminated in an unusually large variety of sectors and locations. Government, financial, energy, food industry, healthcare, education, IT and legal institutions are the targeted sectors. Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey and the U.S have all been impacted countries by this new wave.

As several sectors and countries have been targeted, it is suspected that the malware is not developed by a single entity but by an offensive infrastructure and is being sold to governments and threat actors worldwide.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

How Bandook is distributed

The Bandook infection process chain contains three phases. The process begins with phishing via a Microsoft Word document with embedded code delivered inside ZIP file format.

Figure 1: Bandook phishing document used to convince the user to enable the macros.

According to the CheckPoint analysis, this malware used other .doc templates and even external templates with macros.

Figure 2: Examples of lure documents and external templates with macros.

An interesting point about Bandook malspam documents is after a certain amount of time, criminals change the malicious external template to benign to bypass defenses and deliver the best possible scenario.

The Bandook external template and VBA macro

Once opened, malicious VBA macros are downloaded using the external template via URL

shortening web services like TinyURL or bit.ly.

Figure 3: bit.ly URL inside the doc file that downloads the external template with VBA macros.

After that, the macro code drops and executes the second stage — a PowerShell payload encrypted inside the original Word document. Finally, the PowerShell script downloads and executes the last stage of Bandook: the backdoor. The following image shows the high-level diagram of this threat.

Figure 4: Full chain of Bandook malware.

Bandook second stage — the PowerShell loader

As described in Figure 4, the PowerShell loader (fmx.ps1) decodes and executes a base64 encoded PowerShell stored in the second dropped file (sdmc.jpg). This payload then downloads a zip archive containing four files from Cloud services such as Dropbox, Bitbucket or AWS S3 bucket. Next, the archive is stored in the user’s public folder and the files are extracted.

Figure 5: Dropped files into the user’s public folder.

The three images are used to generate the next payload in the same folder. The files a.png and b.png are two images, but the untitled.png, unlike the other two files, is in a valid image format. It contains a hidden RC4 function encoded in the RGB values of the pixels. This is a technique used by Bandook to masquerade its presence.

After that, the PowerShell script executes the malware, opens draft.docx, and deletes all previous artifacts from the public folder.

Draft.docx is a benign document that convinces the victim that the document is no longer available and that the overall execution was successful.

Last stage — Bandook itself

The final payload is a variant of Bandook which starts with a loader to create a new instance of an Internet Explorer process and inject a malicious payload into it. Here, a well-known technique called Process Hollowing is used to load into the memory a loader written in Delphi. Delphi is a programming language used widely by criminals during malicious operations, including Latin American trojans such as Javali.

The payload contacts the C2 server and sends basic information about the infected machine and waits for additional commands from the server. In this wave, Bandook used a custom version of the malware with only 11 supported commands:

Command | Functionality

@0001  Download and Execute file via HTTP

@0002  Download and Execute file via a raw TCP socket

@0003  Take a screenshot

@0004  List drives

@0005  List files

@0006  Upload file

@0007  Download file

@0008  Shell execute

@0009  Move File

@0010  Delete file

@0011  Get Public IP

Bandook have been observed in 2019 and 2020 using valid and signed code certificates to bypass defenses.

Figure 6: Signed Bandook samples discovered by MHT.

In this wave, valid Certum certificates were also used to sign the Bandook malware executable.

Figure 7: Valid signature information of a newly discovered Bandook sample.

In general, there are three variants of Bandok that are currently available in the wild:

  • A full-fledged version with 120 commands (not signed)
  • A full-fledged version (single sample) with 120 commands (signed)
  • A slimmed-down version with 11 commands (signed)

With these three variants in place, the operators desire to reduce the malware’s footprint and minimize their chances of an undetected campaign against high-profile targets increases.

Resurgence of Bandook

Bandook RAT is an old piece of malware that reemerged last year with three different variants and available commands to reduce the chances of its detection. Using a sophisticated loader with Word external templates, the malware tries to bypass initial detection bypassing.

Code signing certificates are also used to evade security, as that is seen as a point of trust and allows it to bypass user account control (UAC) when it prompts the user to execute the file.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

There is no perfect formula to block malicious activity and trojans, but some measures can be taken to prevent the exploration of these kinds of scenarios:

  • Train users to be aware of potential social engineering and how to handle them in the right way
  • Do not trust emails from untrusted sources
  • Do not open links and attachments from untrusted sources
  • Ensure that software, applications and systems are up to date
  • Use endpoint protection solutions and updated antivirus to prevent malicious infections
  • Use vulnerability management and monitoring systems to identify potential unpatched flaws and to detect incidents in real-time
  • Block the indicators of compromise (IoCs) in the corresponding security devices
  • Perform cybersecurity audits and mitigate any weaknesses discovered to prevent attacks in the wild, both from external and internal perspectives

 Mitre Att&ck matrix

 

Sources

Bandook analysis, CheckPoint

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.