Bandook Remote Access Trojan

Bandook is a 13 year old RAT and info-stealer with links to nation-state threat actors that has been identified in a new wave of attacks against organisations in a wide variety of industries across the world.

Threat ID:: CC-3684
Category:: Trojan
Threat Severity:: Low
Threat Vector:
Published:: 2 December 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in 2007, Bandook is a remote access trojan with a focus on information extraction and espionage operations. It has been used in attacks against education, energy, finance, government, healthcare, and legal organisations worldwide.

Despite appearing in the Operation Manul and Dark Caracal malware campaigns in 2015 and 2017 respectively, it was believed Bandook had disappeared before it's most recent spate of attacks

Delivery

Modern Bandook infections begin with a malicious Microsoft Office document contained within a ZIP archive, itself delivered via phishing email. When opened, several macros are downloaded and executed using external templates. These macros then drop and execute a PowerShell script embedded in the original document, which in turn downloads a preliminary loader contained in a secondary decoy document.

Once executed, the Delphi-based loader then reaches out to an attacker-controlled file repository to grab a Bandook binary, which it then injects into a new Internet Explorer process.

Activities

Once installed, Bandook will immediately connect to a command and control server, where it will send collected system information and await further commands. All observed Bandook variants are able to:

execute shell scripts
get public network information
take screenshots
move, edit, delete, download, and execute files

Interestingly, all Bandook variants had more than 100 unique commands before March 2019, when a leak of its builder resulted in a new version with only 11 commands being released. All variants since have been based on this stripped-down version.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

2ndprog[.]monster
branchesv[.]com
d1[.]p2020[.]club
d2[.]p2020[.]club
ec2[.]mbcde[.]net
ercuc[.]com
ewsdocs[.]com
horizongb[.]com
htname[.]info
idcmht[.]com
jtoolbox[.]org
mainsrv[.]top
mxtms[.]com
nopejohn[.]com
ntsclouds[.]com
olex[.]live
p2020[.]xyz
pronews[.]icu
raysdoor[.]com
s1[.]fikofiko[.]top
s1[.]megawoc[.]com
s2[.]fikofiko[.]top
s2[.]megawoc[.]com
s3[.]fikofiko[.]top
s3[.]megawoc[.]com
styleco[.]me
tancredis[.]com
vdscloud[.]net
vsimperial[.]com

Host indicators

SHA256 hashes

034d8ec8d510033c387bb87cac35d240b7b8daa3b5167732118c755c5e6c1d48
06ed3daccfbb30c68a33583a761fc20cc3e21adb8dd64a42d922e6da2a01c0dd
072c103759968253b7b25837b43eec546c625ae9c04edd52321d848cf6078b87
0750c7cdc538d79d9ffed0d37f5d9a083902b49ec02d75ee88028db9f3668b59
1ad83e9d06428dd87203ab8fcc6142014a9c05f3eb9afd61347834f39082d72a
1b0d2d096c5f7fff02a5a4ce623b71b862f63e306a0760722f710c425b4e16ec
27c6341554a04bdc792ffbc5cda26511cbcfcc66334fb6ebbc24a14969b4e498
2ee74ae5b202c8aab288ca167c630e9ee3569240958e984474b960cd560bbe95
306238a63896fa8b79b4c9a6d25fd906bb9e4919bc698608ab970677d15b0694
3fda0a5da313886b0339eee65c69c779ed620b303ba079ee0864ca4a1496b0b4
408c11caf548048732ac21e88a54e80d47a05b9619c1c16b65fa850e0172f428
40cc5933e608f7a2a5c13af1066257c9e41528bb85e434e2bc3d1f4802dec24d
41ccf6de0d51bd29d35be12ae24f04b2f88ec2b202b239424f90c666d25473e8
5900abb869c61928f0ef931d6f9d8b62183b2bab9a69b0ef886551005d6c9622
6287fc617ff6881169990e6b877c16d8ca3c199f7e453241a0b18a7907c67ab0
66c86f29afb1152aad8e426ebb6569ad03ce7b69ea3c8a5cc40011c2a3ab973b
6af6fe3eafd4cf2c82738d45a6a95577d970f3fbbe094afd24d1d4a0bb5ad1b4
74feaf3aa116a88ef3b10453e77feadefbe4e53dd7a71dd3b8309cc9d76cdec9
766917fe9b543bf218bd824d55967d63f94b28456f1d4919bc990d8262dc608d
8cb1f713761a6b31c9c25dd2c7ae11e575a634c9f052cfd598ada35a61783230
97ea91fb673f4994da491433751c4fca011993ba10191f09c70ca6c8d2b4f944
9a0ee2430f7c77942d544dad6787ca8a94470f6555f1cb08baa9d099c92f8447
9a19522b23acfc6705e4fac65640527a8adbbc9719dab436f28101b6cbc140c6
9de287f9af63f02c51c69d9c8480fee2bd4d4bd3c818f2ba81324b1f8ce495c0
a9a8b0aa5f137e7353db62dc1609da3c709ca30287a5605c73aafaf4968d1e8d
aa868d007c4dfd825104faafb3798b9ab745b29794a57365bef41ec3f6019eea
add9f9dca97c3b6d52efe7d48ecd3d349a70411eaa3d4aeff6e6215b77f42b90
aed7ab5d0de01c3724c917c034e26a5e9eed3f7fbf4082b024576a41725d66cf
ba153e449ee926c019b548997c32d0579b9c6f350b1590a025d5d9a216ddbffd
ce8ad96819c814dd1735e621639a8845ae7132375879cc5b5d5f6877cb909a68
d217288a046e2739159d0081608a44c2e79d41de12c57ebe88a8591693fa15d5
d4cf5c5c60e972cc19782d1f37ec9d47dd1e81cdf481b64dab62f96bac846bb4
ea4792353e0f97968e7c69ffba81c144f22f54382af4e61a1347edd0ae15830f

Last edited: 3 December 2020 3:26 pm