The Bandook malware, evolving since its 2007 inception, has recently surfaced in a new variant distributed via a PDF file. This iteration employs a sophisticated infiltration process involving a password-protected .7z file, ultimately injecting its payload into the system via msinfo32.exe. Notably, this variant exhibits refined control codes, enabling a more precise distribution of tasks compared to previous iterations.
Its C2 communication protocol involves a diverse range of commands, facilitating file manipulation, registry control, data downloads, and even intrusive actions like screen monitoring and control.
FortiGuard Labs’ analysis revealed the Bandook malware’s intricate behavior. The malware establishes persistence by creating registry keys and downloading additional modules like fcd.dll. Furthermore, its communication with the Command and Control (C2) server involves numerous commands, delineating various actions from file manipulation to controlling the victim’s computer.
This discovery highlights the malware’s multi-layered approach, where individual commands may trigger complex sequences of events, encompassing file reading, writing, execution, and controlling functionalities.