A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old Windows backdoor Trojan Bandook targetting government, financial, energy, food industry, healthcare, education, IT, and legal institutions
This group, which has operated at least since 2012, has been linked to the Lebanese General Directorate of General Security (GDGS), deeming it a nation-state level advanced persistent threat.
Now the same group is back at it with a new strain of Bandook, with added efforts to thwart detection and analysis, hosting various espionage campaign
A Three-Stage Infection Chain
The infection chain is a three-stage process that begins with a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file that, when opened, downloads malicious macros, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.
In the last phase of the attack, this PowerShell script is used to download encoded executable parts from cloud storage services like Dropbox or Bitbucket in order to assemble the Bandook loader, which then takes the responsibility of injecting the RAT into a new Internet Explorer process.
The Bandook RAT — commercially available starting in 2007 — comes with all the capabilities typically associated with backdoors in that it establishes contact with a remotely-controlled server to receive additional commands ranging from capturing screenshots to carrying out various file-related operations. Earlier version supports nearly 120 commands.. Refurbished one supports only the 11 commands
Full-fledged digitally-signed and unsigned variants are the two new samples found by researchers which will improve over time and grow as Sophisticate Malware