New variant of remote access Trojan called banduque The malware was observed to be spread via phishing attacks aimed at infiltrating Windows computers, highlighting the malware’s continued evolution.
Fortinet FortiGuard Labs discovered the campaign in October 2023 and said the malware was distributed via a PDF file that embedded a link to a password-protected .7z archive.
“After the victim extracts the malware using the password from the PDF file, the malware injects its payload into msinfo32.exe,” said security researcher Pei Han Liao.
First discovered in 2007, Bandook is an off-the-shelf malware with multiple capabilities for remotely controlling infected systems.
In July 2021, Slovak cybersecurity company ESET detailed a cyber espionage campaign that used an upgraded variant of Bandook to disrupt corporate networks in Spanish-speaking countries such as Venezuela.
The starting point of the latest attack sequence is an injector component designed to decrypt the payload and load it into msinfo32.exe, a legitimate Windows binary used to collect system information to diagnose computer problems .
In addition to altering the Windows registry to establish persistence on the infected host, the malware also communicates with command and control (C2) servers to retrieve additional payloads and instructions.
“These behaviors can be roughly divided into file manipulation, login manipulation, downloading, information theft, file execution, calling functions in DLL from C2, controlling the victim’s computer, process killing and uninstalling malware,” Han Liao said.
