New Bandook RAT Variant Resurfaces, Targeting Windows Machines

We Keep you Connected

New Bandook RAT Variant Resurfaces, Targeting Windows Machines

A new variant of a remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware.
Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.
“After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe,” security researcher Pei Han Liao said.
Bandook, first detected in 2007, is an off-the-shelf malware that comes with a wide range of features to remotely gain control of the infected systems.
In July 2021, Slovak cybersecurity firm ESET detailed a cyber espionage campaign that leveraged an upgraded variant of Bandook to breach corporate networks in Spanish-speaking countries such as Venezuela.
The starting point of the latest attack sequence is an injector component that’s designed to decrypt and load the payload into msinfo32.exe, a legitimate Windows binary that gathers system information to diagnose computer issues.
The malware, besides making Windows Registry changes to establish persistence on the compromised host, establishes contact with a command-and-control (C2) server to retrieve additional payloads and instructions.
“These actions can be roughly categorized as file manipulation, registry manipulation, download, information stealing, file execution, invocation of functions in DLLs from the C2, controlling the victim’s computer, process killing, and uninstalling the malware,” Han Liao said.
The Ultimate Enterprise Browser Checklist
Download a Concrete and Actionable Checklist for Finding a Browser Security Platform.
Firewalls and VPNs are no longer enough. Explore Zero Trust Security to protect your data.
Get hands-on with advanced tools designed to detect and block privilege escalation attempts.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE