Hackers Launching 13-year old Massive Backdoor Trojan Campaign to Attack Various Targets Worldwide

Recently, the Checkpoint researchers asserted that the APT team was behind the hacking operation Dark Caracal. But, the company’s security experts have revealed a new series of attacks towards many enterprises and organizations.

The Dark Caracal operation was conducted by an APT team that are linked to Lebanon. It is rendered with new attacks in which it utilizes a new version of a backdoor Trojan campaign to attack several targets from all over the world, which has been applied for 13 years and is called “Bandook.”

The cybersecurity experts of Check Point reported that over the past year, dozens of alternatives to this malware have started to reappear in the threat landscape. However, Bandook was last detected in a hacking campaign in 2015 and 2017. 

Infection Chain

The infection chain keeps evolving constantly, but the attack’s full infection chain can be split into three main stages. The initial stage starts, along with a malicious Microsoft Word document delivered inside a ZIP file. 

Once the malicious Microsoft Word document is opened, the malicious macros automatically start getting downloaded utilizing the external template feature. The macros’ code, in turn, drops and administers the second stage of the attack, which consists of a PowerShell script that has been encrypted inside the original Word document.

Lastly, the PowerShell script downloads and performs the very last stage of the infection chain that is the Bandook backdoor.

Bandook variants in the wild

After investigation, they noted that the MalwareHunterTeam tweeted that there are various Bandook samples, and all of them are digitally dignified with certificates that were published by Certum.

After noting all the variants mentioned by the MHT, the experts detected that the first of the samples were collected in March 2019 and supported nearby 120 commands.

Moreover, there are also some different signed Bandook variant that utilized the very same C&C server with only 11 commands; in short, all the signed sample uses only 11 basic commands. That’s why the shared C&C provides clear proof that a single attacker is operating both the slimmed-down and the fully-fledged modification of the malware.

Sample document file names

  • Malaysia Shipment.docx
  • Jakarta Shipment.docx
  • malta containers.docx
  • Certified documents.docx
  • Notarized Documents.docx
  • bank statement.docx
  • passport and documents.docx
  • Case Draft.docx
  • documents scan.docx

Targeted sectors

  • Government 
  • Financial
  • Energy 
  • Food industry
  • Healthcare
  • Education
  • IT  
  • Legal institutions

Targeted countries

  • Singapore
  • Cyprus
  • Chile
  • Italy
  • USA
  • Turkey
  • Switzerland
  • Indonesia 
  • Germany

After investigating the whole backdoor campaign, the experts concluded that the hidden operators that are behind the ill-disposed infrastructure of “Operation Manual” and “Dark Caracal” are still active and operational. And they are prepared to serve in the offensive cyber operations to anyone who is ready to pay. 

Apart from this, the group that is behind this backdoor campaign improves themselves over time by adding all-new features to their operations. But, the experts are trying to find out all the details and cure for this malicious operation.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read: Hackers Launching ModPipe Backdoor to Hack POS Software & Steal Data Password From Windows Registry

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.