New Espionage Campaign Unveiled: Targets Corporate Networks in Venezuela
On Thursday, cybersecurity researchers revealed an ongoing espionage campaign primarily aimed at corporate networks in Spanish-speaking countries, with Venezuela being the focal point. This newly identified threat, named “Bandidos” by security firm ESET, employs an enhanced variant of the notorious Bandook malware. The campaign appears to target a range of sectors in Venezuela including manufacturing, construction, healthcare, software services, and retail.
Bandook malware, first introduced in 2005, has evolved over the years and has been utilized in various surveillance operations, notably by cyber-mercenary groups linked to state interests in Kazakhstan and Lebanon. ESET’s research highlights the expanded capabilities of the current iteration, which was designed using Delphi and C++. With the malware’s functionality growing, recent findings indicate that the latest Bandook variant can process up to 132 commands, a significant increase from the previous 120 commands reported by Check Point.
The attack typically begins by sending targeted individuals malicious emails containing PDF attachments. These attachments include a shortened URL that links to a compressed archive, hosted on well-known cloud storage platforms such as Google Cloud, SpiderOak, or pCloud. Once the archive is extracted, a malware dropper is deployed, which subsequently decodes and injects the Bandook malware into an Internet Explorer process.
ESET’s analysis of the latest variant reveals particularly concerning features, including a functionality dubbed “ChromeInject.” Upon establishing a connection with the attacker’s command and control server, the payload downloads a dynamic link library (DLL) file that creates a malicious Chrome extension. This extension is specifically designed to capture credentials entered by the victim, storing them within Chrome’s local data.
Among the commands that the malware payload can execute are listing file directories, taking screenshots, controlling user inputs, installing additional malicious DLLs, downloading files, and exfiltrating data to remote servers. This level of sophistication underscores an ongoing trend within cybercriminal circles, where older malware solutions like Bandook are being repurposed for modern cyberattacks.
The tactics and techniques potentially leveraged in this campaign align with various categories outlined in the MITRE ATT&CK framework. Initial access may have been facilitated through phishing emails, while persistence and command and control might be achieved through the deployment of the malicious Chrome extension. Techniques such as credential dumping and exfiltration further highlight the multifaceted approach taken by attackers.
ESET researchers emphasize that the persistence of Bandook in contemporary espionage efforts illustrates its continued relevance among cybercriminals. The consistent evolution of this malware not only enhances its effectiveness but also makes it increasingly difficult to detect and mitigate.
As businesses remain vigilant against cyber threats, the lessons from this espionage campaign offer crucial insights. The blend of established malware and innovative techniques serves as a stark reminder of the ongoing cybersecurity challenges that organizations, especially those operating in vulnerable sectors, must address proactively.
