Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1123 | Audio Capture | ||
Enterprise | T1059 | Command and Scripting Interpreter |
Bandook can support commands to execute Java-based payloads.[3] |
|
.001 | PowerShell |
Bandook has used PowerShell loaders as part of execution.[3] |
||
.003 | Windows Command Shell |
Bandook is capable of spawning a Windows command shell.[1][3] |
||
.005 | Visual Basic |
Bandook has used malicious VBA code against the target system.[3] |
||
.006 | Python |
Bandook can support commands to execute Python-based payloads.[3] |
||
Enterprise | T1005 | Data from Local System | ||
Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1041 | Exfiltration Over C2 Channel |
Bandook can upload files from a victim's machine over the C2 channel.[3] |
|
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
Enterprise | T1105 | Ingress Tool Transfer | ||
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1106 | Native API | ||
Enterprise | T1095 | Non-Application Layer Protocol | ||
Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
Bandook has used .PNG images within a zip file to build the executable. [3] |
Enterprise | T1120 | Peripheral Device Discovery | ||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Bandook is delivered via a malicious Word document inside a zip file.[3] |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.[2][1][3] |
Enterprise | T1113 | Screen Capture |
Bandook is capable of taking an image of and uploading the current desktop.[2][3] |
|
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing | |
Enterprise | T1082 | System Information Discovery |
Bandook can collect information about the drives available on the system.[3] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Bandook has a command to get the public IP address from a system.[3] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
Bandook has used lure documents to convince the user to enable macros.[3] |
Enterprise | T1125 | Video Capture |
Bandook has modules that are capable of capturing video from a victim's webcam.[1] |
ID | Name | References |
---|---|---|
G0070 | Dark Caracal |