January 5, 2024 at 01:27AM
A new variant of the Bandook trojan is being spread through phishing attacks, targeting Windows machines. The malware is distributed via a PDF file embedding a link to a password-protected .7z archive. After extraction, the malware injects its payload into msinfo32.exe. This off-the-shelf malware can remotely control infected systems and has been linked to cyber espionage campaigns.
Key takeaways from the meeting notes on “Malware / Cyber Espionage” are as follows:
1. A new variant of the remote access trojan called Bandook has been identified, spread through phishing attacks with the goal of infiltrating Windows machines.
2. The malware is distributed through a PDF file containing a link to a password-protected .7z archive. Once extracted, the malware injects its payload into msinfo32.exe.
3. Bandook, first detected in 2007, is a versatile off-the-shelf malware used for remote control of infected systems.
4. In July 2021, an upgraded variant of Bandook was used in a cyber espionage campaign targeting corporate networks in Spanish-speaking countries, such as Venezuela.
5. The malware establishes persistence on compromised hosts through Windows Registry changes and communicates with a command-and-control (C2) server for additional payloads and instructions.
6. The actions executed by the malware include file manipulation, registry manipulation, downloading, information stealing, file execution, invoking functions from the C2, controlling the victim’s computer, process killing, and uninstalling the malware.
The meeting had a focus on analyzing and understanding the evolving nature of the Bandook malware, its distribution methods, and the actions it performs when infecting systems. This information provides valuable insight for developing strategies to detect, prevent, and respond to such threats.