5

Bandidos Malware Targeting Networks in South America

 3 years ago
source link: https://news.softpedia.com/news/bandidos-malware-targeting-networks-in-south-america-533485.shtml
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Cybersecurity researchers have discovered malware capable of gaining control of PC's in Latin America

ESET's Cybersecurity researchers disclosed yesterday a malware espionage campaign targeting South American commercial networks, with the majority of efforts focused on Venezuela, according to The Hacker News

Bandidos is an improved version of the Bandook, a malware designed to target enterprises in industries such as healthcare, software services, retail, manufacturing, and construction. Developed by Dark Caracal, Bandook was used between 2015 and 2017 to gather intelligence. The group claims to be acting on behalf of Kazakh and Lebanese government interests.

According to the chain analysis of the latest attack, the PCs of potential victims can be infected by opening malicious emails that contain PDF attachments. The email provides the web address to download an archived package hosted on pCloud, Spideroak, or Google Cloud, as well as the password needed for unzipping it. Unpacking the download exposes a malware dropper that decrypts Bandook and injects it into the running Internet Explorer session.

In the latest form of Bandook examined by ESET, a total of 132 commands were detected, twelve more than Check Point could identify. This suggests that the cybercriminal organization behind the infection is constantly evolving its malicious tools to give them more capabilities and clout.

The malware employs Google Chrome extensions local storage to extract credentials

ESET's cybersecurity researcher Fernando Tavella explains that the ingenious implementation of the malware consists of the ChromeInject function. He adds "When the communication with the attacker's command and control server is established, the payload downloads a DLL file, which has an exported method that creates a malicious Chrome extension. The malicious extension tries to retrieve any credentials that the victim submits to a URL. These credentials are stored in Chrome's local storage."

The malware is extremely versatile, and its payload is capable of performing file modifications, capture screenshots, taking control of the cursor on the victim's PC, listing directory contents, terminating running processes, installing malicious DLL files, uninstalling itself from infected PCs, downloading malicious files from a specific web address, and even sending the information gathered to a remote server.

Photo Gallery (2 Images)


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK