Bandook

Bandook is a commercially available RAT, written in Delphi, which has been available since roughly 2007 [1] [2].

ID: S0234
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Bandook has modules that are capable of capturing audio.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Bandook is capable of spawning a Windows command shell.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Bandook contains keylogging capabilities[3]

Enterprise T1055 .012 Process Injection: Process Hollowing

Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.[2][1]

Enterprise T1113 Screen Capture

Bandook is capable of taking an image of and uploading the current desktop.[2]

Enterprise T1125 Video Capture

Bandook has modules that are capable of capturing from a victim's webcam.[1]

Groups That Use This Software

ID Name References
G0070 Dark Caracal

[2]

References