"In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations," the report notes. Since then, the malware has been used to target government, financial, energy, food industry, healthcare, education, IT and legal organizations in the U.S, Germany, Italy, Switzerland, Singapore, Cyprus, Chile and Indonesia, the researchers say. The malware apparently was dormant for the last three years until Check Point researchers discovered new digitally signed Bandook versions earlier this year, the report notes. It’s been linked to espionage attacks targeting journalists and political dissidents in the region, according to security firm Lookout. The malware is believed to have originated with the Lebanese General Security Directorate in Beirut, an intelligence agency. See Also: OnDemand | Navigating the Difficulties of Patching OTīandook is a commodity Trojan backdoor that researchers first discovered in 2007 but was last spotted in wide circulation in 2018, the security firm says in a new report. (Source: Check Point Research)Ĭheck Point Research has identified new variants of the long-dormant Bandook spyware that are being used for espionage campaigns across the world. The Bandook RAT - commercially available starting in 2007 - comes with all the capabilities typically associated with backdoors in that it establishes contact with a remotely-controlled server to receive additional commands ranging from capturing screenshots to carrying out various file-related operations.The operators behind the Bandook spyware use lures to get victims to click files that, if opened, install malicious macros. In the last phase of the attack, this PowerShell script is used to download encoded executable parts from cloud storage services like Dropbox or Bitbucket in order to assemble the Bandook loader, which then takes the responsibility of injecting the RAT into a new Internet Explorer process. “Certified documents.docx”) delivered inside a ZIP file that, when opened, downloads malicious macros, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.
The infection chain is a three-stage process that begins with a lure Microsoft Word document (e.g.
Now the same group is back at it with a new strain of Bandook, with added efforts to thwart detection and analysis, per Check Point Research. See Also: Offensive Security Tool: PRET – Printer Exploitation Toolkit
0 kommentar(er)
