Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Bandook

Bandook

Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia.Bandook has been used byDark Caracal, as well as in a separate campaign referred to as "Operation Manul".[1][2][3]

ID: S0234
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 17 October 2018
Last Modified: 25 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1123Audio Capture

Bandook has modules that are capable of capturing audio.[1]

EnterpriseT1059Command and Scripting Interpreter

Bandook can support commands to execute Java-based payloads.[3]

.001PowerShell

Bandook has used PowerShell loaders as part of execution.[3]

.003Windows Command Shell

Bandook is capable of spawning a Windows command shell.[1][3]

.005Visual Basic

Bandook has used malicious VBA code against the target system.[3]

.006Python

Bandook can support commands to execute Python-based payloads.[3]

EnterpriseT1005Data from Local System

Bandook can collect local files from the system .[3]

EnterpriseT1140Deobfuscate/Decode Files or Information

Bandook has decoded its PowerShell script.[3]

EnterpriseT1573.001Encrypted Channel:Symmetric Cryptography

Bandook has used AES encryption for C2 communication.[3]

EnterpriseT1041Exfiltration Over C2 Channel

Bandook can upload files from a victim's machine over the C2 channel.[3]

EnterpriseT1083File and Directory Discovery

Bandook has a command to list files on a system.[3]

EnterpriseT1070.004Indicator Removal:File Deletion

Bandook has a command to delete a file.[3]

EnterpriseT1105Ingress Tool Transfer

Bandook can download files to the system.[3]

EnterpriseT1056.001Input Capture:Keylogging

Bandook contains keylogging capabilities.[4]

EnterpriseT1680Local Storage Discovery

Bandook can collect information about the drives available on the system.[3]

EnterpriseT1106Native API

Bandook has used the ShellExecuteW() function call.[3]

EnterpriseT1095Non-Application Layer Protocol

Bandook has a command built in to use a raw TCP socket.[3]

EnterpriseT1027.003Obfuscated Files or Information:Steganography

Bandook has used .PNG images within a zip file to build the executable.[3]

EnterpriseT1120Peripheral Device Discovery

Bandook can detect USB devices.[1]

EnterpriseT1566.001Phishing:Spearphishing Attachment

Bandook is delivered via a malicious Word document inside a zip file.[3]

EnterpriseT1055.012Process Injection:Process Hollowing

Bandook has been launched by starting iexplore.exe and replacing it withBandook's payload.[2][1][3]

EnterpriseT1113Screen Capture

Bandook is capable of taking an image of and uploading the current desktop.[2][3]

EnterpriseT1553.002Subvert Trust Controls:Code Signing

Bandook was signed with valid Certum certificates.[3]

EnterpriseT1016System Network Configuration Discovery

Bandook has a command to get the public IP address from a system.[3]

EnterpriseT1204.002User Execution:Malicious File

Bandook has used lure documents to convince the user to enable macros.[3]

EnterpriseT1125Video Capture

Bandook has modules that are capable of capturing video from a victim's webcam.[1]

Groups That Use This Software

IDNameReferences
G0070Dark Caracal

[2][3]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp