www.fortinet.com
Open in
urlscan Pro
18.156.16.255
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving
Submission: On January 03 via api from DE — Scanned from DE
Submission: On January 03 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog
* Categories
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* Business & Technology
* FortiGuard Labs Threat Research
* Industry Trends
* Partners
* Customer Stories
* PSIRT Blogs
* CISO Collective
* Subscribe
FortiGuard Labs Threat Research
BANDOOK - A PERSISTENT THREAT THAT KEEPS EVOLVING
By Pei Han Liao | December 21, 2023
* Article Contents
* Injector
* Payload
GUM Control CodeACG Control Code
* C2 Communication
* Conclusion
Fortinet Protections
* IOCs
IPsFiles
By Pei Han Liao | December 21, 2023
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Remote attackers gain control of the infected systems
Severity Level: Critical
Bandook malware is a remote access trojan that has been continuously developed
since it was first detected in 2007. It has been used in various campaigns by
different threat actors over the years. FortiGuard Labs identified a new Bandook
variant being distributed via a PDF file this past October. This PDF file
contains a shortened URL that downloads a password-protected .7z file. After the
victim extracts the malware with the password in the PDF file, the malware
injects its payload into msinfo32.exe. In this article, we will briefly
introduce Bandook’s behavior, provide detailed information about the modified
elements of this new variant, and share some examples of the mechanism of its C2
communication.
INJECTOR
The injector component decrypts the payload in the resource table and injects it
into msinfo32.exe.
Before the injection, a registry key is created to control the behavior of the
payload. The key name is the PID of msinfo32.exe, and the value contains the
control code for the payload. Once executed with any argument, Bandook creates a
registry key containing another control code that enables its payload to
establish persistence, and it then injects the payload into a new process of
msinfo32.exe. There are two registry keys, shown in Figure 1.
Figure 1: The registry keys written by Bandook.
A variant reported in 2021 required four control codes and created four
processes of explorer.exe that it injected in a single execution. This new
variant uses less control code and makes a more precise division of tasks.
PAYLOAD
Figure 2: The execution flow of the payload.
Figure 2 is the overview of the payload. Once injected, the payload initializes
strings for the key names of registries, flags, APIs, etc. After this, it uses
the PID of the injected msinfo32.exe to find the registry key and then decodes
and parses the key value to perform the task specified by the control code.
Figure 3 shows the relationship between the key value and the payload’s
behavior. The control codes play the same role as previous variants, but strings
are used instead of numbers.
Figure 3: Relationship between key value, command line, and payload.
The variant we found in October 2023 has two additional control codes, but its
injector doesn’t create registries for them. One asks the payload to load
fcd.dll, which is downloaded by another injected process and calls fcd.dll’s
Init function. The other mechanism establishes persistence and executes
Bandook’s copy.
These unused control codes have been removed from even newer variants
(430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce).
Of the two remaining control codes, “ACG” is the main control code for an
attack, while “GUM” establishes the persistence mechanism.
GUM CONTROL CODE
When the control code is “GUM,” Bandook drops a copy to the SMC folder in the
appdata folder as “SMC.exe” or “SMC.cpl” and creates a registry key to
automatically execute the copy. There are three registry keys to run SMC.exe.
Software\Microsoft\Windows\CurrentVersion\Run
Key name: SMC
Value: %APPDATA%\SMC\SMC.exe
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key name: shell
Value: explorer.exe, %APPDATA%\SMC\SMC.exe
Software\Microsoft\Windows NT\CurrentVersion\Windows\
Key name: Load
Value: short path of %APPDATA%\SMC\SMC.exe
When the copy is SMC.cpl, the registry key and value are the following:
Software\Microsoft\Windows\CurrentVersion\Run
Key name: SMC
Value: %windir%\System32\controll.exe %APPDATA%\SMC\SMC.cpl
ACG CONTROL CODE
When the control code is ACG, the payload can download files for other modules,
including fcd.dll, pcd.dll, an executable file, and others. This is an optional
function based on flags set when the payload initializes. The files can also be
downloaded from the C2 server when necessary. If fcd.dll is downloaded, Bandook
calls its functions and passes the key names of the registry key as arguments.
Similarly, many registry keys store information used in other actions.
An action may separated into several parts, and it’s necessary to piece all
related commands and registry keys together. For example, C2 communication may
use one command to write a registry key and a separate command to read it.
C2 COMMUNICATION
First, Bandook sends victim information to its C2 server:
Figure 4: Traffic capture and AES decrypted data of the victim information.
If the C2 server is available, Bandook receives commands from the server,
including *DJDSR^, @0001, @0002, and so on. While the string sequence in the
newest variants reaches @0155, some are only used when sending a result to the
server, and others only exist in other modules. As shown in Figure 5, the
payload doesn’t use the command @0133, though it can be found in fcd.dll.
Figure 5: @0133 can be found in fcd.dll.
Despite the numbering, the payload only supports 139 actions. In addition, some
special commands are only sent to the server under specific conditions. Since
most actions are the same as in previous variants, we will focus on
communications between Bandook and the C2 server using the new commands added to
the most recent variants.
These actions can be roughly categorized as file manipulation, registry
manipulation, download, information stealing, file execution, invocation of
functions in dlls from the C2, controlling the victim’s computer, process
killing, and uninstalling the malware.
The data from the C2 server has the following format:
{Command}~!{Arg2}~!{Arg3}~!{Arg4}~!{Arg5}~!{Arg6}~!
The first argument is the command, which is necessary. Arg2 to Arg6 are
optional.
Below are four examples of actions that require multiple commands and actions
that have complex mechanisms.
@0003, @0004
This action is about file reading. If Arg3 is R, it keeps calling the Sleep
function until the C2 server sends @0004 and its related arguments to Bandook.
The @0004 command gives a value to determine from where to read the file or to
just do nothing.
Finally, Bandook sends the file specified by Arg2 to the C2 server.
Figure 6: Process flow when Bandook receives @0003 from the server.
@0006, @0007
This action is about file writing. Similar to @0003, @0006 waits for @0007.
@0007 determines how to write data from the C2 server to a local file.
Figure 7: Process flow when Bandook receives @0007 from the server.
@0126, @0127, @0128
This action executes a Python file. The main command is @0128, which calls a
ShellExecute function to run a Python file {Parent directory}\Lib\dpx.pyc with
arguments Arg2~Arg6. The {Parent directory} is stored in the registry key pthma
under HKCU\Software. @0126 checks pthma’s value and sends the result to the
server. @0127 writes its Arg2 to pthma if fcd.dll is initialized in the victim’s
computer.
Additionally, some commands send special data to the server:
@0124
This action monitors the victim’s screen and controls the computer. When Bandook
receives this command, it overwrites the config file of Firefox pref.js with
code hard-coded in the payload and disables protection mechanisms in Microsoft
Edge:
Registry
Key name
Value
Software\Microsoft\Internet Explorer
TabProcGrowth
0
NoProtectedModeBanner
1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2500
3
After this, Bandook creates a virtual desktop and assigns it to a newly created
thread (Thread_Control) that establishes a new communication with the C2 server.
It first sends the string AVE_MARIA, followed by another packet containing the
number 1, to the server.
Figure 8: The “AVE_MARIA” and number sent by Bandook.
If the server responds, Bandook creates another thread to keep sending
screenshots to the server. This thread also sends two packets: the string
AVE_MARIA and the number 0. In the meantime, Thread_Control receives coordinates
and control codes from the server. These tasks include:
* Open the Run dialog
* Copy user data from Chrome to another folder and open another Chrome instance
using a new directory and configurations. It uses the following command to
help it run faster: cmd.exe /c start chrome.exe --no-sandbox
--allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11
--user-data-dir={New folder}
* Copy user data to another folder and open another Firefox instance with the
copied profile
* Execute Internet Explorer
* Terminate Microsoft Edge, enable its Compatibility Mode, and open another
Edge instance with a new directory and configurations. It uses the following
command to help it run faster:
* C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --no-sandbox
--allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11
--user-data-dir={New folder}
* Access specified windows
In addition, there are three new commands compared to the 2021 variant:
@0138
This writes encrypted backup URLs to the registry key kPYXM under
HKCU\Software\AkZhAyV0\. When the current C2 server is unavailable, Bandook will
decrypt it and try to access the URLs. The format of the decrypted data will
look like this:
{URL}|{URL}|{URL}|
Bandook will extract URLs and try these sequentially if the previous URL is
unavailable.
@0139
This command asks Bandook to parse cookies from the browser specified by the C2,
including Chrome, Edge, and Firefox, and save the result as Default.json in a
.zip file.
@0140
In the previous variant, @0140 is missing. This command asks Bandook to
establish a persistence mechanism with sub_13160400, also called when the
control code is GUM, as shown in Figure 9.
Figure 9: The new variant uses the same function in the control code and
command.
CONCLUSION
This article unveils new details about the C2 mechanism of this long-existing
malware and the new features in its latest variant. A large number of commands
for C2 communication can be found in this malware. However, the tasks performed
by its payload are fewer than the number in the command. This is because
multiple commands are used for a single action, some commands call functions in
other modules, and some are only used to respond to the server. Though the
entire system is not observed in this attack, FortiGuard will continue
monitoring malware variants and provide appropriate protections.
FORTINET PROTECTIONS
The malware described in this report are detected and blocked by FortiGuard
Antivirus as:
PDF/Agent.1F56!tr
W32/Injector.EQDO!tr
W32/Bandok.NAT!tr
FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus
service. The FortiGuard AntiVirus engine is a part of each of those solutions.
As a result, customers who have these products with up-to-date protections are
protected.
The FortiGuard CDR (content disarm and reconstruction) service can disarm the
malicious macros in the document.
We also suggest that organizations go through Fortinet’s free NSE training
module: NSE 1 – Information Security Awareness. This module is designed to help
end users learn how to identify and protect themselves from phishing attacks.
FortiGuard IP Reputation and Anti-Botnet Security Service proactively block
these attacks by aggregating malicious source IP data from the Fortinet
distributed network of threat sensors, CERTs, MITRE, cooperative competitors,
and other global sources that collaborate to provide up-to-date threat
intelligence about hostile sources.
If you believe this or any other cybersecurity threat has impacted your
organization, please contact our Global FortiGuard Incident Response Team.
IOCS
IPS
77[.]91[.]100[.]237
45[.]67[.]34[.]219
FILES
8904ce99827280e447cb19cf226f814b24b0b4eec18dd758e7fb93476b7bf8b8
d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057
3169171e671315e18949b2ff334db83f81a3962b8389253561c813f01974670b
e87c338d926cc32c966fce2e968cf6a20c088dc6aedf0467224725ce36c9a525
2e7998a8df9491dad978dee76c63cb1493945b9cf198d856a395ba0fae5c265a
430b9e91a0936978757eb8c493d06cbd2869f4e332ae00be0b759f2f229ca8ce
cd78f0f4869d986cf129a6c108264a3517dbcf16ecfc7c88ff3654a6c9be2bca
Tags:
remote access trojan
RELATED POSTS
FortiGuard Labs Threat Research
TEAMCITY INTRUSION SAGA: APT29 SUSPECTED AMONG THE ATTACKERS EXPLOITING
CVE-2023-42793
FortiGuard Labs Threat Research
MRANON STEALER SPREADS VIA EMAIL WITH FAKE HOTEL BOOKING PDF
FortiGuard Labs Threat Research
GOTITAN BOTNET - ONGOING EXPLOITATION ON APACHE ACTIVEMQ
*
*
*
*
*
*
NEWS & ARTICLES
* News Releases
* News Articles
SECURITY RESEARCH
* Threat Research
* FortiGuard Labs
* Threat Map
* Ransomware Prevention
CONNECT WITH US
* Fortinet Community
* Partner Portal
* Investor Relations
* Product Certifications
COMPANY
* About Us
* Exec Mgmt
* Careers
* Training
* Events
* Industry Awards
* Social Responsibility
* CyberGlossary
* Sitemap
* Blog Sitemap
CONTACT US
* (866) 868-3678
Copyright © 2024 Fortinet, Inc. All Rights Reserved
Terms of Services Privacy Policy | Cookie Settings
COOKIE PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* ADVERTISING COOKIES
YOUR PRIVACY
A website may store or retrieve certain information about your browser by using
cookies. Cookies store information about how a visitor interacts with a website.
The information may be about you, your preferences, your browser, or may be used
just to make the website function. We allow certain advertising and analytics
partners to collect information from our site through cookies and similar
technologies to deliver ads which are more relevant to you, and assist us with
advertising-related analytics (e.g., measuring ad performance, optimizing our ad
campaigns). This may be considered "selling" or "sharing” / disclosure for
targeted online advertising under certain laws. To opt out of these activities,
move the toggles for "Performance" and "Advertising" to the left and press
"Confirm My Choices." You can also click on the different category headings if
you would like to read more about the cookies that we use, and adjust your
preferences. Please note that your choice will apply only to your current
browser/device. You can choose not to allow some types of cookies; however,
please note that blocking some categories of cookies may impact your experience
of the site. You can visit our Privacy Policy for more information. privacy
policy
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the basic functionality of the website. The
website would not work without these cookies, so they cannot be switched off in
our systems. You can set your browser to block or alert you about these cookies,
but some parts of the site will not work.
PERFORMANCE COOKIES
Performance Cookies
These cookies help us collect certain data, such as count visits and traffic
sources, so that we can measure the performance of our site, improve the
content, and build better features that enhance your experience. They help us to
know which pages are the most and least popular and see how visitors move around
the site. They also allow us to measure the effectiveness of our ads on other
sites.
FUNCTIONAL COOKIES
Functional Cookies
These cookies allow our website to remember your preferences and choices made on
the website, such as region and language, which help us provide enhanced
functionality and personalization. These cookies may be set by us or by third
party providers whose services we have added to our pages. If you disable these
cookies, then some or all of these features may not function properly.
ADVERTISING COOKIES
Advertising Cookies
These cookies may be set through our website by our advertising partners, and
use information uniquely identifying your browser and internet device to build a
profile of your interests and show you relevant ads on other websites. If you
disable these cookies, you will experience less targeted advertising.
BACK BUTTON BACK
Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All
COOKIE SETTINGS
By clicking "Accept All", you are consenting to the use of cookies on your
device to enhance site functionality, analyze site usage, and assist in our
marketing efforts. This includes the use of cookies and similar technologies to
show you personalized advertising on other websites through our partners. To
accept only necessary cookies, select “Reject All.” You can visit the Cookie
Settings link, which contains details on specific cookies, categories, and
preference options. Your choice will apply only to your current browser/device.
Please also see our Privacy Policy for more information on how we process
personal data.privacy policy
Reject All Accept All
Cookie Settings