Bandook
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Bandook has used PowerShell loaders as part of execution.(Citation: CheckPoint Bandook Nov 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Bandook is capable of spawning a Windows command shell.(Citation: EFF Manul Aug 2016)(Citation: CheckPoint Bandook Nov 2020) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
Bandook has used malicious VBA code against the target system.(Citation: CheckPoint Bandook Nov 2020) |
||
| .006 | Command and Scripting Interpreter: Python |
Bandook can support commands to execute Python-based payloads.(Citation: CheckPoint Bandook Nov 2020) |
||
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Bandook has used AES encryption for C2 communication.(Citation: CheckPoint Bandook Nov 2020) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Bandook has a command to delete a file.(Citation: CheckPoint Bandook Nov 2020) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Bandook contains keylogging capabilities.(Citation: BH Manul Aug 2016) |
| Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
Bandook has used .PNG images within a zip file to build the executable. (Citation: CheckPoint Bandook Nov 2020) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Bandook is delivered via a malicious Word document inside a zip file.(Citation: CheckPoint Bandook Nov 2020) |
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.(Citation: Lookout Dark Caracal Jan 2018)(Citation: EFF Manul Aug 2016)(Citation: CheckPoint Bandook Nov 2020) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Bandook was signed with valid Certum certificates.(Citation: CheckPoint Bandook Nov 2020) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Bandook has used lure documents to convince the user to enable macros.(Citation: CheckPoint Bandook Nov 2020) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0070 | Dark Caracal |
(Citation: Lookout Dark Caracal Jan 2018) (Citation: CheckPoint Bandook Nov 2020) |
References
- Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
- Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.