A full-fledged version with 120 commands (not signed).
There are three variants that are currently available: It is also found that valid Certum certificates were used to sign the Bandook malware executable.
The payload contacts the C&C sever, sends basic information about the infected machine, and waits for additional commands from the server. The final payload is a variant of Bandook which starts with a loader to create a new instance of an Internet Explorer process and inject a malicious payload into it. The document as seen post infection: Stage 3 – Bandook Loader untitled.png file is actually a valid image which contains a hidden RC4 function encoded in the RGB values of the pixels, created using a known tool named invoke-PSImage.įinally, the PowerShell script executes the malware, opens draft.docx, and deletes all previous artifacts from the Public folder.ĭraft.docx is a benign document that convinces the victim that the document is no longer available and that the overall execution was successful. The 3 files a.png, b.png and untitled.png generates the malware payload. The zip file is stored in the user’s Public folder, and the four files are locally extracted. Now, the decoded PowerShell script downloads a zip file containing four files from a cloud service such as Dropbox, Bitbucket or an S3 bucket. This external template is downloaded via a URL shortening web service and it redirects to another domain which is controlled by the attacker, wherein the VBA code runs automatically, decrypts the embedded data from the original lure document, and drops the decoded data into two files in the local user folder: fmx.ps1 and sdmc.jpgĪfter the 1 st stage, the fmx.ps1 and sdmc.jpg calls in fmx.ps1 which is a short PowerShell script that decodes and executes a base64 encoded PowerShell stored in sdmc.jpg. The targeted Microsoft Word document is consists of an encrypted malicious script data and an external template that points to a document containing malicious VBA macros. The malware chain can be described in about 3 stages as described in the below picture: Infection Chain Stage 1 – Lure Documents Not tourist locations, but the targeted countries.Ĭonsidering that a wide array of sectors and countries have been targeted, it is suspected that the malware is not developed by a single entity but by an offensive infrastructure and is being sold to governments and threat actors world-wide. Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany.
0 kommentar(er)
