By:
Derek B. Johnson

Security researchers are warning that the once-dormant Bandook malware family is back, possibly be part of a broader operation selling offensive hacking tools to governments and cybercriminal groups.

Check Point Research unveiled new research tracking a resurgence in the use of Bandook – a 13-year-old banking Trojan – across “an unusually wide variety of targeted sectors and locations.” Over the past year, the team has observed dozens of digitally signed variants of the malware being used in attacks against organizations in the United States, Singapore, Cyprus, Chile, Italy, Turkey Switzerland, Indonesia and Germany. The sectors targeted include government, finance, energy, food, healthcare, education, IT and legal.

Researchers said they only identified around 15 specific organizations that were targeted, indicating a much narrower scope even as the activity has been spread out across different countries and industries.

“This is not a large-scale attack, they’re not just spraying inboxes like we see with Emotet or Trickbot,” Michael Abramzon, the threat intelligence analysis team lead at Check Point, told SC Media in an interview. “These are targeted attacks but they’re spread over two years.”

According to Abramzon, Bandook was a popular malware family in the early years after its creation in 2007, but was believed to have fallen out of use among cybercriminal groups after multiple builders for the malware were leaked online. That perception started to change in 2018, when researchers at the Electronic Frontier Foundation and Lockout uncovered two campaigns using the malware that were eventually traced back to groups with ties to the Lebanese and Kazakhstani governments. Those campaigns, dubbed Dark Caracal and Operation Manul respectively, targeted domestic journalists and dissidents, their families and colleagues for espionage.

As part of their research, the authors published a full infection chain that they first observed in July and is still in use today. Attackers begin with a Macro attack phishing lure, usually sending users a ZIP file containing a malicious Microsoft Word document. Once opened, that document executes an encrypted PowerShell script, which then delivers the Bandook payload to create a back door into the organization’s systems or network.

What makes the newer activity interesting is that even as researchers see multiple variants of Bandook used in the wild, they believe the malware source code and command and control infrastructure is owned and managed by a single third party group that then sells access to nation-state hacking groups and cybercriminals for future operations. This jives with previous research from EFF and Lookout, which found that Dark Caracal was “only one of a number of different global attackers using [Bandook] infrastructure.”

Samples of Bandook found between 2019 and 2020 all have digital certificates issued by Certum, and Check Point researchers found that a more complex variant of the malware as well as a slimmed-down version compiled days later also used the same command and control server. Not only that, these Bandook variants all tended to evolve in the same way, opening up the possibility that the activity witnessed over the past two years is actually multiple, tightly targeted operations carried out by different groups using the same malware strain.

Indeed, Check Point believes the activity they’re seeing represents an evolution of the same infrastructure used during Dark Caracal, and the mysterious group behind the malware family “seems to improve over time” at operational security. They’ve also whittled the total commands for signed executables for Bandook down from 120 to 11, likely in an effort to make it harder to detect. The research contains multiple indicators of compromise, including samples from multiple variants, domains for Bandook command and control servers, external templates and other details. Abramzon said the overlaps they’re seeing in the Bandook variants used today are hyperspecific and go beyond what you might normally see for commodity malware or a malware-as-a-service operation.

“The whole infrastructure is being maintained and operated by a single entity, because we see no deviation from this single evolution across all campaigns,” he said.