Bandidos Malware Targeting Networks in South America

ESET's Cybersecurity researchers disclosed yesterday a malware espionage campaign targeting South American commercial networks, with the majority of efforts focused on Venezuela, according to The Hacker News. 

Bandidos is an improved version of the Bandook, a malware designed to target enterprises in industries such as healthcare, software services, retail, manufacturing, and construction. Developed by Dark Caracal, Bandook was used between 2015 and 2017 to gather intelligence. The group claims to be acting on behalf of Kazakh and Lebanese government interests.

According to the chain analysis of the latest attack, the PCs of potential victims can be infected by opening malicious emails that contain PDF attachments. The email provides the web address to download an archived package hosted on pCloud, Spideroak, or Google Cloud, as well as the password needed for unzipping it. Unpacking the download exposes a malware dropper that decrypts Bandook and injects it into the running Internet Explorer session.

In the latest form of Bandook examined by ESET, a total of 132 commands were detected, twelve more than Check Point could identify. This suggests that the cybercriminal organization behind the infection is constantly evolving its malicious tools to give them more capabilities and clout.

The malware employs Google Chrome extensions local storage to extract credentials

ESET's cybersecurity researcher Fernando Tavella explains that the ingenious implementation of the malware consists of the ChromeInject function. He adds "When the communication with the attacker's command and control server is established, the payload downloads a DLL file, which has an exported method that creates a malicious Chrome extension. The malicious extension tries to retrieve any credentials that the victim submits to a URL. These credentials are stored in Chrome's local storage."

The malware is extremely versatile, and its payload is capable of performing file modifications, capture screenshots, taking control of the cursor on the victim's PC, listing directory contents, terminating running processes, installing malicious DLL files, uninstalling itself from infected PCs, downloading malicious files from a specific web address, and even sending the information gathered to a remote server.