This brand new type of malware is out to target Windows machines, so watch out

News
By Sead Fadilpašić
published

Bandook is back with a vengance, so be on the lookout

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Cybersecurity researchers have discovered a new piece of malware targeting Windows devices, so be on the lookout.

Experts from Fortinet’s FortiGuard Labs claim to have found a previously undetected version of a remote access trojan called Bandook. 

This malware was first spotted in 2007, TheHackerNews reports, when it was described as an “off-the-shelf malware with a wide range of features.” The end goal was always the same, though - to grant the operators remote access to infected endpoints.

Reader Offer: Save up to 68% on Aura identity theft protection

Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today. 

 Preferred partner (What does this mean?) 

View Deal

Bandook akimbo

The latest version was seen being distributed via phishing emails. Apparently, the attackers are sending out malicious PDF files that embed a link to a password-protected .7z archive.

"After the victim extracts the malware with the password in the PDF file, the malware injects its payload into msinfo32.exe," explained security researcher Pei Han Liao. Msinfo32 is a legitimate windows binary tasked with gathering system information. It is generally used to diagnose different computer issues.

Bandook, however, changes the Windows Registry to establish persistence, and then reaches out to its command-and-control (C2) server to ask for further instructions. Usually, the instructions include a stage-two payload which grant full access to the attackers.

"These actions can be roughly categorized as file manipulation, registry manipulation, download, information stealing, file execution, invocation of functions in DLLs from the C2, controlling the victim's computer, process killing, and uninstalling the malware," Han Liao concluded.

Bandook, apparently named after the word for “gun” in Hindi, has been disappearing and reappearing throughout the years. In 2020, Checkpoint’s researchers found “dozens of digitally signed variants of this once commodity malware,” adding that there’s been an “unusually large variety of targeted sectors and locations.”

“In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations,” the researchers said at the time. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.