ESET researchers have analyzed an espionage campaign targeting companies that is still active. The ongoing campaign, which bears the name Bandidos, is aimed specifically at IT infrastructures in Spanish-speaking countries.
90 percent of the detections are in Venezuela. In 2021 alone, ESET researchers saw more than 200 variants of the malware in Venezuela. However, the experts were unable to identify a specific economic sector that this campaign is targeting.
Installs malicious Chrome extension
“The Chrome Inject functionality is particularly interesting,” says ESET researcher Fernando Tavella, who studied the Bandidos campaign. “After communication with the attacker's command and control server has been established, the malicious program downloads a DLL file that creates a malicious Chrome extension. This then tries to retrieve all credentials that the victim sends to a URL. "
Course of an attack
The potential victims receive malicious emails with a PDF attachment. The PDF file contains a link to download a compressed archive. It contains an executable file: a so-called dropper, whose job it is to smuggle the Bandidos spy program into the system. The attackers use URL shorteners such as Rebrandly or Bitly in their PDF attachments. The short links redirect to cloud storage services such as Google Cloud Storage, SpiderOak or pCloud, from where the malware is downloaded.
Prehistory of Bandidos
During the analysis, ESET researchers found that the Bandidos spy program is an advanced version of the Bandook malware. This is a remote access Trojan (RAT) that has been up to mischief since 2005. In 2016 he was used, among other things, to attack journalists and dissidents in Europe. In 2018 and 2020, the RAT was used for attacks against educational institutions, medical professionals, governments and various industries such as finance, IT and energy. “Earlier reports mentioned that Bandook's developers may be contract developers. That makes perfect sense given the different campaigns with different goals that have been observed over the years. In 2021 we only saw this one active cybercrime campaign that we are documenting here. But it shows that the malware is still a relevant tool for cybercriminals, ”says Matías Porolli, an ESET researcher who worked with Tavella on the analysis.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.