Bandook malware had all but disappeared from the threat landscape and had not been seen since 2017, but now has returned with some modifications. A threat actor group that has been in operation since 2012 and is linked to the Lebanese General Directorate of General Security (GDGS) is believed to be behind the campaign. The group, named Dark Caracal, had a wide variety of targets including government, financial, energy, food industry, healthcare, education, IT, and legal institutions located in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the US. The group’s attack chain is a three-step process. Like many other attacks, it starts with a malicious Word document delivered inside a zip file. Once opened, malicious macros are downloaded using the external template feature. A PowerShell script encrypted inside the original document is decrypted and executed by the macros in the template, which downloads and executes the Bandook backdoor. Although the malware is dated, the actors have added layers of security, valid certificates, and other techniques to avoid detection.
Analyst Notes
In addition to all the new malware threats that have appeared in 2020, old attacks are resurfacing, and they are more advanced and harder to detect. In order to protect organizations, employees should always be reminded that attacks generally come from phishing emails and start at the user level. Organizations should ensure systems are updated with the latest security patches and that Multi Factor Authentication (MFA) is deployed and enforced so that stolen or weak passwords cannot be leveraged by attackers. Then, position security event monitoring solutions to give analysts the information they need to quickly detect and respond to threats that make it past other security controls. A 24/7 Security Operations Center is necessary to respond in time to stop threats that can strike at any time and which often operate on evenings and weekends.
Sources:
• https://thehackernews.com/2020/11/digitally-signed-bandook-malware-once.html
• https://research.checkpoint.com/2020/bandook-signed-delivered/
