Bandidos, a Spying Campaign in Latin America Discovered

Eset Attack Overview
Share It On:

13th July 2021, Kathmandu

An active malicious campaign that utilizes a new version of old malware, Bandook; syping on victims discovered by ESET researchers.

An ongoing campaign targeting corporates networks at Venezeula was detected. When comparing the malware utilized in this campaign with what was previously documented, new functionality and new changes to the present malware, referred to as Bandook, were found. Researchers have found that the campaign targeting Venezuela, despite being active since a minimum of 2015, has somehow remained unrecorded. Researchers called this campaign Bandidos, given the malware used and since targeted the locale.

What is Bandook?

Bandook is an old remote access trojan: there are references thereto being available online as early as 2005, though its use by organized groups wasn’t documented until 2016. The report published that year by EFF, Operation Manual, describes the utilization of Bandook to focus on journalists and dissidents in Europe. Then in 2018, Lookout published its research uncovering other espionage campaigns that had different targets but used an equivalent infrastructure. They gave the name Dark Caracal to the group liable for the attacks. Finally, Check Point’s report in 2020 showed that the attackers began to use signed executables to focus on many verticals in various countries.

Previous reports have mentioned that the developers of Bandook could be developers for hire (also referred to as “malware as a service”), which is sensible given the varied campaigns with different targets seen through the years. We must note, however, that in 2021 we’ve seen just one active campaign: the one targeting Spanish-speaking countries that we document here.

Although we’ve seen quite 200 detections for the malware droppers in Venezuela in 2021, we’ve not identified a selected vertical targeted by this malicious campaign. According to our telemetry data, the most interests of the attackers are corporate networks in Venezuela; some in manufacturing companies, others in construction, healthcare, software services, and even retail. Given the capabilities of the malware and therefore the quiet information that’s exfiltrated, it looks like the most purpose of those Bandidos is to spy on their victims. Their targets and their method of approaching them are more almost like cybercrime operations than APT activities like Operation Manual.

How does it Operate:

The victim sectors are mostly construction, manufacturing, healthcare, and retail.

The attack bond begins with victims getting malicious emails with PDF attachments having shortened URLs, Redbrandly, or Bitly. The PDF file contains a link to download a compressed archive and therefore the password to extract it, hosted on SpiderOak, iCloud, and Google Cloud. Inside the archive, there’s an executable file: a dropper that injects Bandook into an online Explorer Process.

The latest of Bandook variants is available with 132 commands, 120 higher than the previously documented variant. This signifies that the attackers have improved the malware capabilities.

The main commands contain listing directory contents, taking screenshots, controlling the cursor on the infected machines, manipulating files, installing malicious DLLs, and others.

A new interesting feature of this malware is ChromeInject functionality. This goes for stealing the victims’ credentials. Once the communication with the C2 server is developed, the payload downloads a DLL file, which creates a malicious Chrome extension.

Then the malicious Chrome extension tries to obtain any credentials on the victims and storing them into Chrome’s local storage.

The figure below shows a summary of the attack chain:

                                                Figure 1 from ESET on attack overview

The figure below shows that the email containing the attachments are usually short.

Email Phishing OverviewThe two figures 3 and 4 given below are the examples of PDF used in this campaign, those are, actually stock images available online.

Web Attack OverviewPDF Attack OverviewThe PDF files have been used with different filenames that change between targets and the password for downloading the archive is 123456.

Conclusion:

Book, a RAT active since 2005 has its involvement in different espionage campaigns, already documented proves that it is still a relevant tool for cybercriminals. Also, considering the modification made to malware over the years signifies the keen interest of cybercriminals to keep using this piece of malware in the future. That’s why, protection against such threats should be done by organizations for which, updating and reviewing their security postures is recommended.


Share It On:

Recent Posts

B2B Summit 2025 in Pokhara: Boosting Nepal’s Tech Scene

B2B Summit 2025 in Pokhara: Boosting Nepal’s Tech Scene

Share It On:30th January 2025, Kathmandu CAN Federation Kaski Branch is set to organize the B2B Summit 2025 to promote

Brother Printer Sale 2025: Up to 50% Discount on Toner Box Series in Nepal

Brother Printer Sale 2025: Up to 50% Discount on Toner

Share It On:30th January 2025, Kathmandu Brother, one of the most popular printer brands in Nepal, has announced a special

Everest Bank Debenture Issue: NPR 3 Billion, 7.50% Interest, Public & Individual Investors, SEBON Approval

Everest Bank Debenture Issue: NPR 3 Billion, 7.50% Interest, Public

Share It On:29th January 2025, Kathmandu Nepal Securities Board (SEBON) has granted Everest Bank the approval to issue a debenture

Nepal Bank Housing Loan Scheme: Saral Awas Karja for Easy Homeownership with 6.63% Interest

Nepal Bank Housing Loan Scheme: Saral Awas Karja for Easy

Share It On:29th January 2025, Kathmandu Nepal Bank Limited, the first bank of Nepal, has launched a new housing loan

IME Life Insurance Q2 Earnings Report: 14% Profit Growth, Life Insurance Fund, Premium Collection

IME Life Insurance Q2 Earnings Report: 14% Profit Growth, Life

Share It On:29th January 2025, Kathmandu IME Life Insurance has made history as the first insurance company to release its

Global IME Laghubitta Q1 Earnings: 147% Growth, Improved NPLs, Increased Deposits – Microfinance Sector

Global IME Laghubitta Q1 Earnings: 147% Growth, Improved NPLs, Increased

Share It On:29th January 2025, Kathmandu Global IME Laghubitta has reported a significant profit increase of 147.57% in the first