Rewterz Threat Alert – New Variant of Bandook RAT Emerges Again and Targets Windows Systems – Active IOCs

Severity

High

Analysis Summary

A new variant of a remote access trojan named Bandook has resurfaced and is being distributed through phishing attacks to infect Windows systems, showing the constant evolution of the malware. The activity was first observed in October 2023 and is propagated using a PDF file with a link to a password-protected .7z archive.

Bandook was first seen in 2007 as an off-the-shelf-malware featuring a wide range of capabilities for gaining control of compromised machines remotely. In July 2021, a cyber espionage campaign using an upgraded version of Bandook was discovered that breached corporate networks targeting Spanish-speaking countries like Venezuela.

The security researchers discovered that the malware injects its payload into msinfo32.exe, a legitimate Windows binary, after it is extracted by the victim using the password given in the PDF file. The initial point of the latest attack chain is an injector component made to decrypt and load the payload into msinfo32.exe, which is responsible for gathering system information to diagnose computer problems.

The malware can make changes to the Windows Registry to establish persistence on the infected system and connect to a command-and-control (C2) server for receiving additional payloads and commands. It is capable of manipulating files and registries, stealing information, executing files, downloading and uploading, controlling the victim’s machine, invocating the functions in DLLs from the C2, killing processes, and uninstalling the malware.

Impact

• Sensitive Information Theft
• File Manipulation
• Unauthorized Access

Indicators of Compromise

MD5

• 695ebe3e45a89552d7dabbc2b972ed66
• cc9283299523aed18b5c82c22b0b9f27
• 5b49b856ed078c80306a6f190c445138
• 89df83ffca7aae77fe72522173ec71ac
• d3577d76430cf9910df854e066331f56

SHA-256

• d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057
• 3169171e671315e18949b2ff334db83f81a3962b8389253561c813f01974670b
• e87c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525
• 430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce
• cd78f0f4869d986cf129a6c108264a3517dbcf16ecfc7c88ff3654a6c9be2bca

SHA-1

• 89f1e932cc37e4515433696e3963bb3163cc4927
• 33c172779ac7117e30d37a6fe26361b2175cae03
• efbeec9846500b7d54d7fbc51de78b92976d1bbc
• b9d9d73c162969ef56931cc26928f67dfaae1523
• 90e8f60e0b1f19da57011fba19c04fab0614e757

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that could be exploited by info-stealers and other types of malware.
• Promptly apply security patches and updates for operating systems, software applications, and browsers. This helps to address vulnerabilities that threat actors may exploit to deliver malware.
• Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.