S0234 Bandook
Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as “Operation Manul”.123
| Item | Value |
|---|---|
| ID | S0234 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 17 October 2018 |
| Last Modified | 11 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1123 | Audio Capture | Bandook has modules that are capable of capturing audio.1 |
| enterprise | T1059 | Command and Scripting Interpreter | Bandook can support commands to execute Java-based payloads.3 |
| enterprise | T1059.001 | PowerShell | Bandook has used PowerShell loaders as part of execution.3 |
| enterprise | T1059.003 | Windows Command Shell | Bandook is capable of spawning a Windows command shell.13 |
| enterprise | T1059.005 | Visual Basic | Bandook has used malicious VBA code against the target system.3 |
| enterprise | T1059.006 | Python | Bandook can support commands to execute Python-based payloads.3 |
| enterprise | T1005 | Data from Local System | Bandook can collect local files from the system .3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Bandook has decoded its PowerShell script.3 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Bandook has used AES encryption for C2 communication.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Bandook can upload files from a victim’s machine over the C2 channel.3 |
| enterprise | T1083 | File and Directory Discovery | Bandook has a command to list files on a system.3 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Bandook has a command to delete a file.3 |
| enterprise | T1105 | Ingress Tool Transfer | Bandook can download files to the system.3 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Bandook contains keylogging capabilities.4 |
| enterprise | T1106 | Native API | Bandook has used the ShellExecuteW() function call.3 |
| enterprise | T1095 | Non-Application Layer Protocol | Bandook has a command built in to use a raw TCP socket.3 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.003 | Steganography | Bandook has used .PNG images within a zip file to build the executable. 3 |
| enterprise | T1120 | Peripheral Device Discovery | Bandook can detect USB devices.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Bandook is delivered via a malicious Word document inside a zip file.3 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | Bandook has been launched by starting iexplore.exe and replacing it with Bandook‘s payload.213 |
| enterprise | T1113 | Screen Capture | Bandook is capable of taking an image of and uploading the current desktop.23 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Bandook was signed with valid Certum certificates.3 |
| enterprise | T1082 | System Information Discovery | Bandook can collect information about the drives available on the system.3 |
| enterprise | T1016 | System Network Configuration Discovery | Bandook has a command to get the public IP address from a system.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Bandook has used lure documents to convince the user to enable macros.3 |
| enterprise | T1125 | Video Capture | Bandook has modules that are capable of capturing video from a victim’s webcam.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0070 | Dark Caracal | 23 |
References
-
Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018. ↩↩↩↩↩↩
-
Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. ↩↩↩↩
-
Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018. ↩