Rewterz Threat Alert – Dark Caracal Targets Multiple Sectors with Bandook Malware

Severity

High

Analysis Summary

The Dark Caracal threat group is found active again. It’s believed to be a state-sponsored group, supporting Kazakhstan and Lebanon government interests in particular. Although they were inactive for a period of time, they re-emerged in November of 2019 with new, signed versions of the Bandook malware targeting multiple sectors. Now, a much broader list of target industries and countries has been identified. The Bandook malware used by the group is a commercially available, full-featured RAT that has been around since 2007. 
This time, new samples of the Bandook malware are found with legitimate signing certificates for Windows (issued by the “Certum” certificate authority,) which would allow them to be run without a warning to the user on any Windows computer. Three new variants of Bandook are found, some expanded (120 commands), some slimmed down (11 commands), and all signed with Certum certificates. In previous campaigns, this actor has displayed impressively lax operational security, enabling researchers to download terabytes of data from their command and control servers. The latest campaign exhibits a somewhat higher level of opsec. Targets include Government, financial, energy, food industry, healthcare, education, IT and legal institutions in multiple countries including Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany. 
The Dark Caracal threat actors still seem to primarily use phishing and Office-based macros as their primary method of infection. Because of this, the best step one can take to protect against Dark Caracal is to disable Office macros on your personal devices or that of your entire organization. The final payload in this infection chain is a variant of Bandook. Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server, sends basic information about the infected machine, and waits for additional commands from the server. 

Impact

• Unauthorized Remote Access
• Code Execution
• Information Theft
• Data Exfiltration

Indicators of Compromise

Domain Name

• opwalls[.]com
• megadeb[.]com
• wbtogm[.]com

MD5

• e2bcd26465f9715da2789febce3bedf7
• 6f4f9d9b13426b3e6b705ae65c22ba87
• 078282eecb219bafd4f995990469848b
• a337fc0c2bbbb47a19c41c667bd77c08
• 0fd1b688c44f27f18144de1f3127f9a9
• a9427349fea3c1aa47adf83e2e1e1c1d
• 057e97ae4547f8dbb058e87ba737e210
• 70fb69b85bae8c89e62e267b7852a760

SHA-256

• fabce973a9edff2c62ccb6fdd5b14c422bc215284f952f6b31cc2c7d98856d57
• 2f9ba191689e69e9a4f79b96d66c0fee9626fbd0ea11e89c0129e5d13afe6d76
• d50696eec5288f29994aa68b8f38c920f388a934f23855fb516fa94223c29ecc
• 4f2ebe6f4fc345041643d5d7045886956fe121272fa70af08498a27135a72d97
• f3b54507a82a17f4056baaa3cb24972a2dfa439fa9b04493db100edb191a239f
• f08cbc1c5bca190bc34f7da3ad022d915758f5eb2c0902b13c44d50129763cf1
• 2b54f945f5e3d226d3a09cdfcc41e311b039ceadf277310697672c8c706aa912
• fe18568eb574d8fa6c7d9bd7d8afa60d39aae0e582aff17c5986f9bab326ec8a

SHA1

• b3bd4d0c84d0751d88eb0343b8e194e499894a98
• c3291d4d099abfdd10b6c5ca6dea9a696fc124e6
• ce27ac8d4f5290882f8118458e1e24aba2e873b9
• b0b15e439c031caba8f787537225bdaff67ccf7a
• 5af8bf12ca712f306b59858c7b2babf7ecbc1640
• 88cbb2cba1fe9b96bba512c2d169d24d48faae64
• 17f5dd35a7a30fb2236383f313448267a7fb3187
• 5f7b82afef3713d93398b564a7407f1fc97e23d5

URL

• http[:]//wbtogm[.]com
• http[:]//www[.]opwalls[.]com/tunnel2015/add[.]php
• https[:]//pronews[.]icu/aqecva/
• https[:]//pronews[.]icu/raxpafsd/images
• https[:]//pronews[.]icu/aqecva/add[.]php
• https[:]//pronews[.]icu/cgi-bin
• https[:]//pronews[.]icu/phpmyadmin
• http[:]//blombic[.]com/uioncby281229hcbc2728hsha11kjddhwqqqqc/add[.]php
• https[:]//blancomed[.]com/newnjususus3/post[.]php
• https[:]//blancomed[.]com/newnjususus3/post[.]php
• http[:]//blombic[.]com/OSPSPSPS2222292929nnnxnxnxnxnx/add[.]php
• http[:]//blancomed[.]com/newnjususus1/post[.]php
• http[:]//blancomed[.]com/newnjususus2/post[.]php

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.
• Keep all systems, software and browsers updated to latest patched versions.