Operation Dark Caracal was conducted by an APT team affiliated with Lebanon and now he is back with new ones attacks in which it uses a new version of a backdoor Trojan, used for 13 years and has been named Bandook.
According to report of Check Point, during the last year, Dozens of variants of this malware have begun to reappear in the threat landscape.
"In the latest wave of attacks, we have again identified an unusually large variety of areas and locations targeted by the malware. This further reinforces the previous hypothesis that malware is not used by one entity, but sold by a third party to governments and hackers around the world to facilitate attacks.".
In its recent attacks, the APT team behind Dark Caracal has targeted various areas, such as governments, finance companies, energy companies, food industry, healthcare, education, IT and legal institutions.
Most of the victims of the group are based in Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany.
The infection process usually takes place in three stages:
The first stage uses one Word document (eg “Certified documents.docx”) which delivered within a ZIP file. By opening the file, malicious macros are activated, which then download and run a PowerShell script (second step) encrypted within the original document.
In the final stage of the attack, the PowerShell script downloads encrypted executables from legitimate ones services cloud storage, such as Dropbox or Bitbucket, and then downloads Bandook loader, which introduces RAT to a new Internet Explorer process.
The Bandook RAT is available in underground forums since 2007 and supports common backdoor commands, including taking screenshots and performing various functions related to archives.
Check Point researchers noticed that the new version of Bandook is a "weak version" that supports only 11 of the 120 commands. This means that hackers try not to attract attention.
The experts noticed various samples of malware that had been digitally signed with valid certificates issued by the Certum.
"Some of the features and similarities of this campaign with previous campaigns lead us to conclude that the activity we describe in this report is indeed the continuation and evolution of the infrastructure used for the business Dark Caracal"
- Using the same Certum provider in all campaigns.
- Using the Bandook Trojan.
- Same features in targeted attacks.
"All the evidence supports our belief that the mysterious operators behind Dark Caracal's malicious infrastructure are still alive and well.", The researchers concluded.
Source: Security Affairs