Check Point Research recently observed a new wave of campaigns against various targets worldwide that utilizes a strain of a 13-year old backdoor Trojan named Bandook.
Bandook, which had almost disappeared from the threat landscape, was featured in 2015 and 2017 campaigns, dubbed “Operation Manul” and “Dark Caracal“, respectively. These campaigns were presumed to be carried out by the Kazakh and the Lebanese governments, as uncovered by the Electronic Frontier Foundation (EFF) and Lookout.
During this past year, dozens of digitally signed variants of this once commodity malware started to reappear in the threat landscape, reigniting interest in this old malware family.
In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations.
In this publication, we showcase the latest evolution of the infection chain offered by this unknown third-party, compare the different Bandook variants, and share the various techniques its creators use to hinder analysis and detection of all the components in the attack flow.
As the infection chain is constantly evolving, we describe the one used by the attackers from as early as July, to the present day.
The full infection chain of the attack can be broken down into three main stages. The first stage starts, as in many other infection chains, with a malicious Microsoft Word document delivered inside a ZIP file. Once the document is opened, malicious macros are downloaded using the external template feature. The macros’ code in turn drops and executes the second stage of the attack, a PowerShell script encrypted inside the original Word document. Finally, the PowerShell script downloads and executes the last stage of the infection: the Bandook backdoor.
💡 The names of the various artifacts described below may vary from one infection to the next.
First Stage – Lure Documents
The first stage starts with a Microsoft Word document with embedded encrypted malicious script data and an external template that points to a document containing malicious VBA macros.
The external template is downloaded via a URL shortening web service like TinyURL or Bitly, which redirects to another domain controlled by the attacker.
The external template document contains a VBA code that runs automatically, decrypts the embedded data from the original lure document, and drops the decoded data into two files in the local user folder: fmx.ps1 (the next stage PowerShell) and sdmc.jpg (base64 encoded PowerShell code).
To allow this behavior, the attackers use a combination of two techniques: encrypted data is embedded inside a shape object within the original document (hidden from view by a small font size and white foreground), and is accessed from the external template code by using the following code:
For proper analysis, both the original document and the external template must be located, which makes things a bit more difficult for investigators.
We observed and analyzed multiple pairs of documents and external templates. Different lure images were used, alongside different encryption keys.
Examples of lure documents:
Examples of external templates with macros:
The external templates are not visible to the victim. Their only purpose is to provide malicious macros.
Interestingly, with each attack, after a certain amount of time, the attacker switched the malicious external template to a benign one, further muddying our analysis of the infection chain.
Here again, the external templates look like random benign documents:
The themes of the documents are often of cloud-based services like Office365, OneDrive and Azure that contain images of other documents supposedly available once the victim clicks “Enable Content.”
For example, one of the documents that specifically got our attention depicts an Office365 logo and a preview of a certificate issued by the government of Dubai. JAFZA – Jebel Ali Free Zone, featured at the top of the document, is an industrial area surrounding the port of Jebel Ali in Dubai, where more than 7,000 global companies are based.
Sample document file names:
passport and documents.docx
Second Stage – PowerShell Loader
After the VBA code drops the two files (fmx.ps1 and sdmc.jpg), it invokes fmx.ps1.
fmx.ps1 is a short PowerShell script that decodes and executes a base64 encoded PowerShell stored in the second dropped file (sdmc.jpg).
First, the decoded PowerShell script downloads a zip file containing four files from a cloud service such as Dropbox, Bitbucket or an S3 bucket. The zip file is stored in the user’s Public folder, and the four files are locally extracted.
Three of the files, a.png, b.png and untitled.png, are used by the PowerShell script to generate the malware payload in the same folder. untitled.png, unlike the other two files, is in a valid image format. It contains a hidden RC4 function encoded in the RGB values of the pixels, created using a known tool named invoke-PSImage.
The final executable payload is concatenated from the following files:
a.png – After it is decrypted using RC4 and stored as aps.png.
b.png – As is.
Finally, the PowerShell script executes the malware, opens draft.docx, and deletes all previous artifacts from the Public folder.
draft.docx is a benign document whose sole purpose is to convince the victim that the document is no longer available, and that the overall execution was successful.
Third Stage – The Bandook Loader
The final payload in this infection chain is a variant of an old full-featured RAT named Bandook. Written in both Delphi and C++, Bandook has a long history, starting in 2007 as a commercially available RAT that was developed by a Lebanese individual nicknamed PrinceAli. Over time, several variants of the malware builder were leaked to the Web, and the malware became publicly available for download.
Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C sever, sends basic information about the infected machine, and waits for additional commands from the server.
The variant of the Bandook malware we observed in this attack was not one of the variants whose builder was previously leaked to the Web (which supported a range of more than 100 commands).
In this attack, the threat actor utilized a custom, slimmed-down version of the malware with only 11 supported commands, including:
💡 For a full list of commands and their corresponding request codes, see Appendix A.
In this version, the communication protocol with the C&C server was also upgraded to use AES encryption.
Bandook variants in the wild
After comparing the Bandook variant we observed in the attack with the ones created by different leaked builders, we began hunting for variants more similar to the ones we observed.
Our search led us to tweets by the MalwareHunterTeam (MHT) from 2019-2020 that mention various Bandook samples — all of them digitally signed with certificates that were issued by Certum.
In the newer attack flows we observed, we once again found valid Certum certificates were used to sign the Bandook malware executable.
Analyzing all Bandook samples noted by MHT, we discovered that the very first of the samples was compiled in March 2019 and supported around 120 commands. A sample compiled a few days later – a different signed Bandook variant (with only 11 commands) utilized the very same C&C server. Since then, all signed samples use only 11 basic commands. The shared C&C provides clear evidence that both the slimmed-down and the fully-fledged variants of the malware are operated by a single attacker.
In addition to the Bandook samples that were reported by MHT, we identified additional samples from the same time period (2019-2020) which were not digitally signed and contained about 120 commands. These were the only ITW Bandook samples we were able to locate from this time period.
Several factors led us to believe that these signed and unsigned variants are specially crafted Bandook variants, used and developed by the same entity.
Both use the same domain registration services for their C&C domains: Porkbun or NameSilo.
They share a similar method of communication, using the AES encryption algorithm in CFB mode, with a hardcoded IV: 0123456789123456. This feature is not available in the public leaks of this malware.
They incorporated commands that we did not observe in any other public leak or report. Most notable are the commands to execute Python and Java payloads.
At this point, we have three different variants of the malware, which we believe are operated and sold by a single entity, in accordance with their chronological appearance:
A full-fledged version with 120 commands (not signed).
A full-fledged version (single sample) with 120 commands (signed).
A slimmed-down version with 11 commands (signed).
The move to a slimmed-down version with only 11 commands for signed executables may indicate the operators’ desire to reduce the malware’s footprint and maximize their chances for an undetectable campaign against high profile targets (and high paying customers), while continuing the use of the un-signed 120 commands variant for lower profile ones.
Furthermore, such a minimized backdoor might indicate that the slimmed-down variant of Bandook is only utilized as a loader for an additional, more full-featured malware to be downloaded next.
As mentioned previously, in this campaign we observed an unusually large variety of targeted sectors and locations. This strengthens a hypothesis made by researchers – that the malware is not being developed and used by a single entity, but an offensive infrastructure is being sold by a third-party, to governments and threat actors worldwide, to facilitate offensive cyber operations.
The different targeted sectors include:
Government, financial, energy, food industry, healthcare, education, IT and legal institutions.
In the following countries:
Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany.
Connection to Dark Caracal
This campaign isn’t the first instance of the Bandook malware incorporated in a targeted attack. As mentioned, in a joint report from Lookout and the EFF, targeted attacks utilizing a Bandook variant, called “Dark Caracal”, were attributed to the Lebanese General Security Directorate.
Some of this campaign’s characteristics and similarities to previous campaigns leads us to believe that the activity we describe in this report is indeed the continuation and evolution of the infrastructure used during the Dark Caracal operation:
The use of the same certificate provider (Certum) throughout the various campaigns.
The use of the Bandook Trojan, in what appears to be a unique evolving fork from the same source code (which is not known to be publicly available). Samples from the Dark Caracal campaign (2017) utilized around 100 commands, compared to the current 120 command version we analyzed.
This wave of attacks shares the same anomalous characteristics for targeted attacks – an extreme variance in the selected targets, both in their industry and their geographic spread.
Finally, EFF researchers who first disclosed the Dark Caracal operation also believe that the same attacker “is back at it” again.
All evidence points to our belief that the mysterious operators behind the malicious infrastructure of “Operation Manul” and “Dark Caracal” are still alive and operational, willing to assist in the offensive cyber operations to anyone who is willing to pay.
Although not as capable, nor as practiced in operational security like some other offensive security companies, the group behind the infrastructure in these attacks seems to improve over time, adding several layers of security, valid certificates and other techniques, to hinder detection and analysis of its operations.