A new Bandook RAT variant targets Windows machines

Bandook, a new form of remote access trojan, has been spotted spreading via phishing attempts with the goal of infiltrating Windows devices, highlighting the malware's ongoing evolution.

According to Fortinet FortiGuard Labs, which discovered the behavior in October 2023, the virus is transmitted via a PDF file that includes a link to a password-protected .7z archive.

"After the victim extracts the malware with the password from the PDF file, the malware injects its payload into msinfo32.exe," said security researcher Pei Han Liao.

Bandook, initially discovered in 2007, is an off-the-shelf malware with a variety of functions for remotely controlling infected systems.

ESET, a Slovak cybersecurity firm, reported a cyber espionage effort in July 2021 that used an enhanced variation of Bandook to access corporate networks in Spanish-speaking countries including Venezuela.

The Bandook RAT

The latest assault process begins with an injector component designed to decode and load the payload into msinfo32.exe, a genuine Windows program that collects system information to diagnose computer problems.

In addition to changing the Windows Registry to maintain persistence on the compromised host, the malware communicates with a command-and-control (C2) server to collect new payloads and instructions.

"These actions can be roughly categorized as file manipulation, registry manipulation, download, information stealing, file execution, invocation of functions in DLLs from the C2, controlling the victim's computer, process killing, and uninstalling the malware," Han Liao, the investigation's lead investigator, stated.