1. Home
  2. Software
  3. Bandook

Bandook

Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[1][2][3]

ID: S0234
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 17 October 2018
Last Modified: 11 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Bandook can collect local files from the system .[3]

Enterprise T1573 .001 加密通道: Symmetric Cryptography

Bandook has used AES encryption for C2 communication.[3]
Enterprise T1140 反混淆/解码文件或信息

Bandook has decoded its PowerShell script.[3]
Enterprise T1059 命令与脚本解释器

Bandook can support commands to execute Java-based payloads.[3]

.001 PowerShell

Bandook has used PowerShell loaders as part of execution.[3]
.003 Windows Command Shell

Bandook is capable of spawning a Windows command shell.[1][3]
.005 Visual Basic

Bandook has used malicious VBA code against the target system.[3]
.006 Python

Bandook can support commands to execute Python-based payloads.[3]
Enterprise T1120 外围设备发现

Bandook can detect USB devices.[1]
Enterprise T1113 屏幕捕获

Bandook is capable of taking an image of and uploading the current desktop.[2][3]
Enterprise T1083 文件和目录发现

Bandook has a command to list files on a system.[3]
Enterprise T1106 本机API

Bandook has used the ShellExecuteW() function call.[3]

Enterprise T1027 .003 混淆文件或信息: Steganography

Bandook has used .PNG images within a zip file to build the executable. [3]
Enterprise T1204 .002 用户执行: Malicious File

Bandook has used lure documents to convince the user to enable macros.[3]

Enterprise T1070 .004 移除指标: File Deletion

Bandook has a command to delete a file.[3]
Enterprise T1082 系统信息发现

Bandook can collect information about the drives available on the system.[3]

Enterprise T1016 系统网络配置发现

Bandook has a command to get the public IP address from a system.[3]

Enterprise T1125 视频捕获

Bandook has modules that are capable of capturing video from a victim's webcam.[1]
Enterprise T1105 输入工具传输

Bandook can download files to the system.[3]
Enterprise T1056 .001 输入捕获: Keylogging

Bandook contains keylogging capabilities.[4]
Enterprise T1055 .012 进程注入: Process Hollowing

Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.[2][1][3]
Enterprise T1041 通过C2信道渗出

Bandook can upload files from a victim's machine over the C2 channel.[3]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Bandook is delivered via a malicious Word document inside a zip file.[3]
Enterprise T1095 非应用层协议

Bandook has a command built in to use a raw TCP socket.[3]

Enterprise T1123 音频捕获

Bandook has modules that are capable of capturing audio.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Bandook was signed with valid Certum certificates.[3]

Groups That Use This Software

ID Name References
G0070 Dark Caracal

[2][3]

References

  1. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  2. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  1. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  2. Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018.