Cybersecurity researchers have discovered a new piece of malware targeting Windows devices, so be on the lookout.
Experts from Fortinet’s FortiGuard Labs claim to have found a previously undetected version of a remote access trojan called Bandook.
This malware was first spotted in 2007, TheHackerNews reports, when it was described as an “offtheshelf malware with a wide range of features.” The end goal was always the same, though to grant the operators remote access to infected endpoints.
Bandook akimbo
The latest version was seen being distributed via phishing emails. Apparently, the attackers are sending out malicious PDF files that embed a link to a passwordprotected .7z archive.
“After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe,” explained security researcher Pei Han Liao. Msinfo32 is a legitimate windows binary tasked with gathering system information. It is generally used to diagnose different computer issues.
Bandook, however, changes the Windows Registry to establish persistence, and then reaches out to its commandandcontrol (C2) server to ask for further instructions. Usually, the instructions include a stagetwo payload which grant full access to the attackers.
“These actions can be roughly categorized as file manipulation, registry manipulation, download, information stealing, file execution, invocation of functions in DLLs from the C2, controlling the victim’s computer, process killing, and uninstalling the malware,” Han Liao concluded.
“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed inhouse and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations,” the researchers said at the time.