A retooled version of 13 years old malware is being used by hackers to target multiple sectors.
A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries. Researchers have found dozens of signed variants of Bandook Windows trojan being released by hackers.
The targeted and affected organizations include government, financial, energy, food industry, healthcare, education, IT, and legal institutions located in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the US.
The security research team had found that this malware is not operated by a single entity. The malware is a part of a large infrastructure involved in the theft of enterprise intellectual property and personally identifiable information from thousands of victims spanning over 21 countries.
The infection chain is a three-stage process that begins with a lure Microsoft Word document delivered inside a ZIP file that, when opened, downloads malicious macros, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.
In the last phase of the attack, this PowerShell script is used to download encoded executable parts from cloud storage services like Dropbox or Bitbucket in order to assemble the Bandook loader. Researchers have confirmed that the malware responds to a total of 11 commands.
NPAV recommends users and organizations to install NPAV on their devices in order to protect them from all kinds of cyberattacks. NPAV provides best in class malware and ransomware protection.
Use NPAV and join us on a mission to secure the cyber world.