A new variant of the Bandook trojan, a malware family that has been circulating for more than a dozen years, has emerged in a wave of attacks against organizations in government, financial services, energy, and other industries in numerous countries.
The attacks date back to at least July, and based on shared command-and-control infrastructure and similarities in the targeting pattern and use of a specific certificate authority to sign malware samples, researchers at Check Point believe they may be connected to an operation known as Dark Caracal from several years ago. Researchers at the EFF and Lookout attributed the Dark Caracal attacks to the Lebanese government, but Check Point’s researchers say it’s likely that the Bandook malware and the operational infrastructure is sold or rented out to governments and other customers.
Bandook is a well-known trojan that has been in use since at least 2007, a Methuselah-like lifespan for a piece of malware. In most of the attack campaigns discussed publicly, Bandook is the delivered as the last stage of an infection chain that begins with a phishing email containing a malicious Office document. The email will instruct the victim to enable macros to view the attachment. If the victim does so and opens the document, the malware will download malicious macros from an external template that run a PowerShell script. That script downloads and installs the Bandook backdoor, which has a small number of functions, including downloading, uploadins, and running files, taking screenshots, and deleting files.
There are a number of different variants of Bandook in the wild at any given time, and many of those have had a much broader set of commands, as many as 120. Like the newer samples analyzed by Check Point, many of the older variants are signed with a certificate issued by Certum, a Polish certificate authority.
“During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family,” Check Point’s analysis says.
"The shared C&C provides clear evidence that both the slimmed-down and the fully-fledged variants of the malware are operated by a single attacker."
“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.”
Researchers from Malware Hunter Team identified some of the pared-down Bandook variants in late 2019 that shared some similarities with the ones Check Point identified.
“Analyzing all Bandook samples noted by MHT, we discovered that the very first of the samples was compiled in March 2019 and supported around 120 commands. A sample compiled a few days later – a different signed Bandook variant (with only 11 commands) utilized the very same C&C server. Since then, all signed samples use only 11 basic commands. The shared C&C provides clear evidence that both the slimmed-down and the fully-fledged variants of the malware are operated by a single attacker,” Check Point’s analysis says.
The recent attacks that Check Point observed targeted government agencies, financial services companies, health care companies, and IT organizations in the United States, Germany, Switzerland, Singapore, Chile and several other countries. That broad target set is consistent with the way the Dark Caracal attacks occurred, as well.
“All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay,” Check Point’s researchers said.