Nov 6, 2021
101 Views
0 0

Bandidos at large: A spying campaign in Latin America

Written by

ESET Research uncovers an active malicious campaign that uses new versions of old malware, Bandook, to spy on its victims
In 2021 we detected an ongoing campaign targeting corporate networks in Spanish-speaking countries, with 90% of the detections in Venezuela. When comparing the malware used in this campaign with what was previously documented, we found new functionality and changes to this malware, known as Bandook. We also found that this campaign targeting Venezuela, despite being active since at least 2015, has somehow remained undocumented. Given the malware used and the targeted locale, we chose to name this campaign Bandidos.
Bandook is an old remote access trojan: there are references to it being available online as early as 2005, though its use by organized groups was not documented until 2016. The report published that year by EFF, Operation Manul, describes the use of Bandook to target journalists and dissidents in Europe. Then in 2018, Lookout published its research uncovering other espionage campaigns that had different targets but used the same infrastructumre. They gave the name Dark Caracal to the group responsible for the attacks. Finally, Check Point’s report in 2020 showed that the attackers started to use signed executables to target many verticals in various countries.
Previous reports have mentioned that the developers of Bandook might be developers for hire (also known as “malware as a service”), which makes sense given the various campaigns with different targets seen through the years. We must note, however, that in 2021 we have seen only one active campaign: the one targeting Spanish-speaking countries that we document here.
Although we have seen more than 200 detections for the malware droppers in Venezuela in 2021, we have not identified a specific vertical targeted by this malicious campaign. According to our telemetry data, the main interests of the attackers are corporate networks in Venezuela; some in manufacturing companies, others in construction, healthcare, software services, and even retail. Given the capabilities of the malware and the kind of information that is exfiltrated, it seems like the main purpose of these Bandidos is to spy on their victims. Their targets and their method of approaching them is more similar to cybercrime operations than to APT activities such as Operation Manul.
Malicious emails with a PDF attachment are sent to targets. The PDF file contains a link to download a compressed archive and the password to extract it. Inside the archive there is an executable file: a dropper that injects Bandook into an Internet Explorer process. Figure 1 provides an overview of this attack chain.
Figure 1. Overview of a typical attack
Emails that contain these attachments are usually short; one example is shown in Figure 2. The phone number at the bottom of the message is a mobile number in Venezuela, though it is unlikely to be related to the attackers.
Figure 2. Example of a malicious email
The attackers use URL shorteners such as Rebrandly or Bitly in their PDF attachments. The shortened URLs redirect to cloud storage services such as Google Cloud Storage, SpiderOak, or pCloud, from where the malware is downloaded.
Figure 3 and Figure 4 are examples of PDFs used in this campaign. The images used in the PDFs are stock images available online.
Figure 3. Example of a malicious PDF file
Figure 4. Another PDF file used for social engineering
The content of the PDF files is generic and has been used with various filenames that change between targets. The password for the downloaded archive is 123456.
For a list of URLs used to download the malware please refer to the section Indicators of Compromise (IoCs).
Bandook is hybrid Delphi/C++ malware. The dropper is coded in Delphi and is easily recognizable because it stores the payload encrypted and base64 encoded in the resource section of the file. The main purpose of the dropper is to decode, decrypt and run the payload and to make sure that the malware persists in a compromised system. The encryption algorithm was CAST-256 in samples from previous years of this campaign, but changed to GOST in 2021.
When the dropper is executed, it creates four instances of iexplore.exe, where the payload will be injected via process hollowing. Then four entries are created in the Windows registry in HKCUSoftwareMicrosoftWindowsCurrentVersion. The names of the registry keys are based on the process ID (PID) of each of these newly created processes and the values are base64 encoded and contain the path to the dropper, a number to identify different actions, which will be explained later, and another value that isn’t used in the samples that we analyzed. The created keys are shown in Figure 5, along with an example of a decoded value.
Figure 5. Registry keys created by the dropper with an example of a stored value (decoded)
Samples from other campaigns follow the same logic, but they use other encryption algorithms.
When the payload is injected inside the iexplore.exe processes, it will start loading global variables used for various purposes:
Once the payload has finished loading the global variables, it will continue its execution obtaining its injected process’s PID. This PID is used to obtain the base64-encoded data created by the dropper, mentioned above. Once the data is retrieved, the payload will decode it and get the action identifier (see Figure 5) value from it. This value indicates the action it must perform.
Depending on the obtained value, the payload is capable of performing four different actions.
If the value is 0:
If the value is 1:
If the value is 2:
If the value is 3:
Figure 6 depicts a decompilation of this payload-handling code.
Figure 6. Payload logic to execute different actions regarding the value obtained from the registry
Two DLLs can be downloaded from the first action mentioned above or during communication with the C&C server, and they are named dec.dll and dep.dll (the internal name for the first one is capmodule.dll).
dec.dll has a set of functions that enable spying on the victim’s machine. Some of these functions are capable of dropping a malicious Google Chrome extension, and of stealing information from a USB Drive. Meanwhile, dep.dll, which we weren’t able to obtain, has a set of functions that seem to be related to handling files in various formats:
Figure 7 shows part of the decompiled code that loads dec.dll into memory. Figure 8 shows the code related to dep.dll.
Figure 7. Dynamic load of dec.dll into memory
Figure 8. Dynamic load of dep.dll into memory
The payload achieves persistence on the victim’s machine by copying the dropper into a new folder, created by the payload at a path of the form:
%APPDATA%<RANDOM_STRING><RANDOM_STRING>.exe
Both the persisted dropper and the folder use the same name, which is a random string generated by the payload. The screenshot in Figure 9 shows the registry value created by the payload to maintain persistence.
Figure 9. Malware persistence in the registry
We have also detected other values created by the payload in the Windows registry keys related with its behavior, like: the name used for persistence, a random number used as an ID to identify the victim’s machine, possible filenames (these files can be downloaded by the payload or created by itself), and infection date, among other things.
Table 1 contains the registry entries created by the payload during our analysis, with a brief description of them.
Table 1. Registry entries created by one of the analyzed Bandook samples
Other registry locations that can be used to achieve persistence on the victim’s machine are:
The communication begins by obtaining the IP address from a domain (d2.ngobmc[.]com) located in the global variables and then establishing a TCP connection to that address with a four-digit port number that changes according to the campaign. Once the payload establishes this connection, it sends basic information from the victim’s machine, like computer name, username, OS version, infection date, and malware version.
After that, the payload will maintain active communication with the C&C server, waiting for commands to execute.
In many cases the information sent to the C&C server is going to be encrypted using the algorithm AES in CFB mode with the key HuZ82K83ad392jVBhr2Au383Pud82AuF, but in other cases the information is sent as cleartext.
The following is an example of the basic information to be exfiltrated to the C&C server, before it is encrypted:

!O12HYV~!2870~!0.0.0.0~!Computer~!Administrator~!Ten~!0d 14h 2m~!0~!5.2~!FB2021~!0~!0~!0~!0~!~!0~!0–~!None~!0~!5/5/2021~!

Of particular interest are the fields:
Figure 10 and Figure 11 are Wireshark screenshots displaying two different examples of encrypted and cleartext transmission of information sent to the C&C server.
Figure 10. Traffic capture with encrypted information sent to the C&C server
Figure 11. Traffic capture with cleartext information sent to the C&C server
Regarding the commands that the payload is capable of processing, we found that this sample has 132 commands, although some of these have very similar behaviors. These commands use the following pattern: @<ID> – for example, @0001 – except for the *DJDSR^ command. Depending on the received command, the payload is capable of performing the following actions:
Here is a list of what dec.dll is capable of doing on the victim’s machine:
When the communication with the C&C server is established, as we mentioned above, the payload downloads dec.dll. We conducted an analysis of one of the most interesting exported methods, named ChromeInject.
This method creates a malicious Chrome extension, by:
This malicious extension tries to retrieve any credentials that the victim submits to a URL by reading the values inside the form tag before they are sent. These credentials are stored in Chrome’s local storage with the key batata13 and their corresponding URL, where the credentials are sent, with the key batata14. This information is exfiltrated to a different URL located in the global variables of the payload. In our sample this URL was:
https://pronews[.]icu/gtwwfggg/get.php?action=gc1
Figure 12 shows the installed malicious Chrome extension.
Figure 12. Malicious extension created by the malware
Figure 13 and Figure 14 are screenshots respectively displaying the Manifest.json and the Main.js (deobfuscated) source code.
Figure 13. Manifest file of the malicious extension
Figure 14. Main.js file with malicious code deobfuscated
We compared the behavior of our analyzed sample against other posts and documented campaigns like Operation Manul and Dark Caracal and there are some similarities, like:
We also found some differences, showing changes to the malware over the years, like:
Bandook is a RAT active since 2005. Its involvement in different espionage campaigns, already documented, shows us that it is still a relevant tool for cybercriminals. Also, if we consider the modifications made to the malware over the years, it shows us the interest of cybercriminals to keep using this piece of malware in malicious campaigns, making it more sophisticated and more difficult to detect.
Although there are few documented campaigns in Latin America, such as Machete or Operation Spalax, Venezuela is a country that, due to its geopolitical situation, is a likely target for cyberespionage.
A full and comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.
For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.
d1.ngobmc[.]com:7891 – 194.5.250[.]103
d2.ngobmc[.]com:7892 – 194.5.250[.]103
r2.panjo[.]club:7892 – 45.142.214[.]31
pronews[.]icu – 194.36.190[.]73
ladvsa[.]club – 45.142.213[.]108
https://rebrand[.]ly/lista-de-precios-2021
https://rebrand[.]ly/lista-de-precios-01
https://rebrand[.]ly/Lista-de-Precios
https://rebrand[.]ly/lista-de-precios-actualizada
https://rebrand[.]ly/Lista-de-precio-1-actualizada
https://rebrand[.]ly/Lista-de-precios-2-actualizada
https://rebrand[.]ly/Precios-Actualizados
https://rebrand[.]ly/recibo-de-pago-mes-03
https://rebrand[.]ly/Factura-001561493
https://rebrand[.]ly/Comunicado_Enero
https://rebrand[.]ly/Comunicado-23943983
https://rebrand[.]ly/Cotizacion-de-productos
https://rebrand[.]ly/informacion_bonos_productividad
https://rebrand[.]ly/aviso-de-cobro
https://bit[.]ly/lista-de-precios2
http://bit[.]ly/2yftKk3
https://bitly[.]com/v-coti_cion03
https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMZXG4ZTM/shared/1759328-1-1050/Cotizacion nuevas.rar?ad16ce86ca4bb1ff6ff0a7172faf2e05
https://spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMMRSHA4DA/shared/1744230-1-1028/Lista%20de%20Precios.rar?cd05638af8e76da97e66f1bb77d353eb
https://filedn[.]com/lpBkXnHaBUPzXwEpUriDSr4/Lista_de_precios.rar
https://filedn[.]com/l9nI3nYhBEH5QqSeMUzzhMb/Facturas/Lista_de_Precios.rar
d1.p2020[.]club:5670
d2.p2020[.]club:5671
s1.fikofiko[.]top:5672
s2.fikofiko[.]top:5673
s3.fikofiko[.]top:5674
s1.megawoc[.]com:7891
s2.megawoc[.]com:7892
s3.megawoc[.]com:7893
hellofromtheotherside[.]club:6792
medialog[.]top:3806
nahlabahla.hopto[.]org:9005
dianaojeil.hopto[.]org:8021
nathashadarin.hopto[.]org:8022
laraasaker.hopto[.]org:5553
mayataboush.hopto[.]org:5552
jhonny1.hopto[.]org:7401
j2.premiumdns[.]top:7402
j3.newoneok[.]top:9903
p2020[.]xyz
vdsm[.]xyz
www.blueberry2017[.]com
www.watermelon2017[.]com
www.orange2017[.]com
dbclave[.]info
panel.newoneok[.]top
Note: This table was built using version 9 of the MITRE ATT&CK framework.

source

Article Categories:
Malware

Comments are closed.