Bandook RAT Variant Targets Windows System Security Attacks

Bandook RAT Overview

Security researchers have recently observed a new variant of the Remote Access Trojan (RAT) called Bandook spreading via phishing attacks aimed at compromising the Windows operating system, a phenomenon that underscores the evolving nature of malware.

Fortinet FortiGuard Labsdiscovered this activity in October 2023, when they noted that the malware was distributed via a PDF file with an embedded link to a password-protected .7z zip file.

"After the victim decompresses the malware using the password provided in the PDF file, the software injects its load into msinfo32.exe," said security researcher Peihan Liao.

Originally discovered in 2007, Bandook is a full-fledged malware with numerous features that enable it to remotely control infected systems.

cyber securityinformation-gathering

July 2021, Slovakiacyber securityThe company ESET has revealed in detail acyber-espionageThe campaign, which used an upgraded version of the Bandook variant, penetrated corporate networks in Spanish-speaking countries such as Venezuela.

The latest attack on Bandook RAT

The latest attack sequence begins with an injection component designed to decrypt and load the payload into msinfo32.exe, a legitimate Windows system file used to gather system information and help diagnose computer problems.

Not only does the malware ensure persistence on infected hosts by modifying the Windows registry, it also establishes a connection with a command and control (C2) server to obtain additional payloads and execute commands.

Peihan Liao added, "These behaviors can be broadly categorized as file manipulation, registry manipulation, downloading, stealing information, executing files, calling functions in dynamic link libraries (DLLs) from C2 servers, controlling the victim's computer, ending processes, and uninstalling malware."