Bandook

Bandook is a commercially available RAT, written in Delphi, which has been available since roughly 2007 [1] [2].

ID: S0234
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Bandook has modules that are capable of capturing audio.[1]

Enterprise T1059 Command-Line Interface

Bandook is capable of spawning a Windows command shell.[1]

Enterprise T1056 Input Capture

Bandook contains keylogging capabilities[3]

Enterprise T1093 Process Hollowing

Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.[2][1]

Enterprise T1113 Screen Capture

Bandook is capable of taking an image of and uploading the current desktop.[2]

Enterprise T1125 Video Capture

Bandook has modules that are capable of capturing from a victim's webcam.[1]

Groups That Use This Software

ID Name References
G0070 Dark Caracal [2]

References