Bandook malware had all but disappeared from the threat landscape and had not been seen since 2017, but now has returned with some modifications. A threat actor group that has been in operation since 2012 and is linked to the Lebanese General Directorate of General Security (GDGS) is believed to be behind the campaign. The group, named Dark Caracal, had a wide variety of targets including government, financial, energy, food industry, healthcare, education, IT, and legal institutions located in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the US. The group’s attack chain is a three-step process. Like many other attacks, it starts with a malicious Word document delivered inside a zip file. Once opened, malicious macros are downloaded using the external template feature. A PowerShell script encrypted inside the original document is decrypted and executed by the macros in the template, which downloads and executes the Bandook backdoor. Although the malware is dated, the actors have added layers of security, valid certificates, and other techniques to avoid detection.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in