Digitally Signed Bandook Trojan Reemerges in Global Spy Campaign

bandook trojan spy campaign

A strain of the 13-year old backdoor Bandook trojan has been spotted in an espionage campaign.

A wave of targeted cyberattack campaigns bent on espionage is cresting around the globe, using a strain of a 13-year old backdoor trojan named Bandook.

According to Check Point Research, Bandook was last spotted being used in 2015 and 2017/2018, in the “Operation Manul” and “Dark Caracal” campaigns, respectively. The malware then all but disappeared from the threat landscape – but it’s now having a resurgence.

According to the firm, dozens of digitally signed variants of this commodity malware are popping up in an unusually large variety of sectors and locations. Targeted entities include those in the government, financial, energy, food industry, healthcare, education, IT and legal sectors. And, they have been located in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey and the U.S.

“This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber-operations,” according to researchers at Check Point, in a recent posting.

Fresh Wave of Attacks

In these latest attacks, the malware arrives on targets’ computers in the form of a malicious Microsoft Word document delivered inside a .zip file. Check Point found that the themes of the documents revolve around cloud-based services like Office365, OneDrive and Azure – recipients are promised access to other documents if they click “Enable Content.”

“For example, one of the documents that specifically got our attention depicts an Office365 logo and a preview of a certificate issued by the government of Dubai,” researchers explained. “JAFZA – Jebel Ali Free Zone, featured at the top of the document, is an industrial area surrounding the port of Jebel Ali in Dubai, where more than 7,000 global companies are based.”

Once the document is opened, malicious macros download using the external template feature. An external template is downloaded via a URL shortening web service like TinyURL or Bitly, which redirects to another domain controlled by the attacker; the template itself is invisible to the victim.

The macros in turn load a second-stage payload: A PowerShell script encrypted inside the original Word document.

“The external template document contains a VBA code that runs automatically, decrypts the embedded data from the original lure document, and drops the decoded data into two files in the local user folder: fmx.ps1 (the next-stage PowerShell) and sdmc.jpg (base64 encoded PowerShell code),” explained Check Point researchers. “To allow this behavior, the attackers use a combination of two techniques: Encrypted data is embedded inside a shape object within the original document (hidden from view by a small font size and white foreground), and is accessed from the external template code.”

In each attack, after a certain amount of time, the attacker switches the malicious external template to a benign one, making the analysis of the infection chain more difficult, Check Point researchers noted.

First, the decoded PowerShell script downloads a .zip file containing four files from a cloud service such as Dropbox, Bitbucket or an S3 bucket, Check Point researchers explained. This is stored in the user’s Public folder, and the four files are locally extracted.

“Three of the files, a.png, b.png and untitled.png, are used by the PowerShell script to generate the malware payload in the same folder. Untitled.png, unlike the other two files, is in a valid image format,” researchers wrote. “It contains a hidden RC4 function encoded in the RGB values of the pixels, created using a known tool named invoke-PSImage.”

Finally, the PowerShell script executes the malware, opens draft.docx, and deletes all previous artifacts from the Public folder. Draft.docx is a benign document whose sole purpose is to convince the victim that nothing is amiss.

Finally, the PowerShell script downloads and executes the last stage of the infection, which is the Bandook backdoor itself.


Bandook is a fully featured RAT, written in both Delphi and C++, which was created in 2007 by a Lebanese individual nicknamed PrinceAli, according to Check Point. Over time, several variants of the malware builder were leaked to the web, and the malware became publicly available for download.

Bandook’s execution flow starts with a loader, written in Delphi, that uses process-hollowing to create an instance of an Internet Explorer process and then inject a malicious payload into it. The payload contacts the command-and-control server (C2), sends basic information about the infected machine, and waits for additional commands.

This particular variant of the Bandook malware however is not one of the ones whose builder was leaked to the web. While earlier versions supported a range of more than 100 commands, the new variant only supports 11, researchers said. These include taking screenshots, downloading and uploading files, executing Python and Java payloads and more.

Also, the communication protocol used with the C2 was also upgraded to use AES encryption (a feature not available in the public Bandook leaks), and valid Certum certificates were used to sign the Bandook malware executable.

In addition to the recent Bandook samples, Check Point also identified additional samples from 2019 to 2020 that were not digitally signed and contained about 120 commands.

“Several factors led us to believe that these signed and unsigned variants are specially crafted Bandook variants, used and developed by the same entity,” according to the report. “Both use the same domain registration services for their C2 domains: Porkbun or NameSilo; they share a similar method of communication, using the AES encryption algorithm in CFB mode, with a hardcoded IV: 0123456789123456….[and] they incorporated commands that we did not observe in any other public leak or report.”

It’s likely, according to Check Point, that the threat actors behind the malicious infrastructure used in Operation Manul and Dark Caracal are still operational, “willing to assist in the offensive cyber operations to anyone who is willing to pay.”

Researchers noted, “Although not as capable, nor as practiced in operational security like some other offensive security companies, the group behind the infrastructure in these attacks seems to improve over time, adding several layers of security, valid certificates and other techniques, to hinder detection and analysis of its operations.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.


Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.