A new variant of remote obtain trojan termed Bandook has been observed remaining propagated by way of phishing attacks with an goal to infiltrate Windows devices, underscoring the ongoing evolution of the malware.
Fortinet FortiGuard Labs, which determined the activity in Oct 2023, claimed the malware is distributed via a PDF file that embeds a link to a password-shielded .7z archive.
“Immediately after the sufferer extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe,” security researcher Pei Han Liao mentioned.
Bandook, first detected in 2007, is an off-the-shelf malware that comes with a huge variety of capabilities to remotely get regulate of the contaminated programs.
In July 2021, Slovak cybersecurity company ESET thorough a cyber espionage campaign that leveraged an upgraded variant of Bandook to breach company networks in Spanish-speaking countries such as Venezuela.
The commencing issue of the most up-to-date attack sequence is an injector ingredient that’s designed to decrypt and load the payload into msinfo32.exe, a respectable Windows binary that gathers system details to diagnose laptop issues.
The malware, besides creating Windows Registry improvements to build persistence on the compromised host, establishes get hold of with a command-and-handle (C2) server to retrieve additional payloads and instructions.
“These actions can be around classified as file manipulation, registry manipulation, download, data stealing, file execution, invocation of functions in DLLs from the C2, controlling the victim’s laptop, approach killing, and uninstalling the malware,” Han Liao said.
Identified this write-up attention-grabbing? Follow us on Twitter and LinkedIn to study more unique content we article.
Some pieces of this report are sourced from: