# New Threat Actor Uses Spanish Language Lures to Distribute Seldom Observed Bandook Malware **[proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook](https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook)** July 15, 2021 ----- [Blog](https://www.proofpoint.com/us/blog) [Threat Insight](https://www.proofpoint.com/us/blog/threat-insight) New Threat Actor Uses Spanish Language Lures to Distribute Seldom Observed Bandook Malware July 19, 2021 Joe Wise, Konstantin Klinger, Selena Larson and the Proofpoint Threat Research Team ----- ## ey d gs Proofpoint researchers identified a new group, TA2721 distributing Spanish-language email threats. The group often targets individuals with Spanish-language surnames at global organizations representing multiple different industries. The infection chain features a PDF containing a URL that leads to an encrypted RAR file which installs Bandook malware. The threat actor tends to use the same command and control (C2) infrastructure for weeks or months at a time. Proofpoint has only seen three different C2 domains in the last six months. Bandook is an old malware that is not used by many threat actors. ## Overview Proofpoint researchers identified a new and highly active threat group, TA2721, also colloquially referred to by our researchers as Caliente Bandits. The group targets multiple industries from finance to entertainment. The group uses Spanish-languages lures to distribute a known – but infrequently used – remote access trojan (RAT) called Bandook. Proofpoint researchers nicknamed the group Caliente Bandits for their use of Hotmail email accounts – “caliente” is the Spanish word for “hot.” Proofpoint researchers began tracking this group in January 2021 and have observed TA2721 distribute email threats delivering Bandook every week since April. The campaigns are low volume, with fewer than 300 messages per campaign. The threats target entities globally, but the threat actors mostly impact individuals with Spanish surnames at these organizations. Cybersecurity firm ESET first [published details of the malware used by this group.](https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/) ## Campaign Details TA2721 leverages the same type of budget or payment-themed lures throughout its campaigns to prompt a user to download a PDF. _Figure 1: Email sample masquerading as a budget/quotation proposal._ The attached PDF contains an embedded URL and password that, when clicked, leads to the download of a password protected compressed executable that contains Bandook. ----- _Figure 2: PDF containing a malicious link and password that leads to the download Bandook._ Proofpoint researchers observed TA2721 sending low-volume campaigns impacting less than 100 organizations at a time since January 2021. Targets include entities in manufacturing, automotive, food and beverage, entertainment and media, banking, insurance, and agriculture. Targeted organizations included entities in the U.S., Europe, and South America, both multinational organizations as well as smaller businesses. Only a handful of individuals are targeted at each organization, and most have Spanish-language surnames, such as Pérez, Castillo, Ortiz, etc. The targeting suggests TA2721 conducts reconnaissance and attack planning to obtain employee data and contact information. The group appears to target individuals that may speak Spanish, increasingly the likelihood of a successful compromise. ## Delivery and Installation Proofpoint researchers have observed this actor distributing two different Bandook variants. Bandook is commodity malware, but the tactics used in the campaigns demonstrate some attempts to evade detection and add additional effort for the attacker. The password-protection of the malicious archive is an easy way to make detection by automatic analysis products harder, and the specific focus on Spanish-language surnames coupled with low volume targeting suggests the threat actor conducted reconnaissance before deploying campaigns. Nearly all observed campaigns contained PDF attachments containing links to the Bandook download, however in one June campaign the threat actor began using URLs in the messages directly. TA2721 sends Spanish-language messages masquerading as companies located in South America, typically Venezuela, and Mexico. They are sent from Hotmail or Gmail email addresses. Subjects and filenames typically contain the terms "PRESUPUESTO (Budget)", "COTIZACION (Quotation)", and "rcibo de pago (receipt of payment)". TA2721 generally uses the same command and control (C2) infrastructure for weeks or months at a time. For example: “s1[.]megawoc[.]com” was used in January. “d1[.]ngobmc[.]com” was used from March to June. “r1[.]panjo[.]club” was used since June. The URLs observed from January through June 2021 used shortener URLs such as bit[.]ly and rebrand[.]ly links. These redirect to spideroak[.]com, an enterprise security file sharing platform. The URLs lead to the download of a password protected RAR file that installs Bandook. ## Malware Analysis Bandook is a commercially available RAT written in Delphi and has been seen in the wild since at least 2007. Researchers have published [details about multiple now publicly-available](https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf%22%20/) [variants. Bandook can capture screenshots, video, keylogging, and audio on the host, and can be](https://research.checkpoint.com/2020/bandook-signed-delivered/) used for information gathering operations ----- esp te ts a a ab ty a d age o use, oo po t does ot obse e a y ot e t eat acto cu e t y us g t s a a e act, s ce 0 5, Proofpoint has observed around 40 total campaigns distributing this malware, with the 2021 TA2721 campaigns making up more than 50% of the observed activity. According to [MITRE ATT&CK’s malware wiki, Bandook is not widely used.](https://attack.mitre.org/software/S0234/) The following is an example of a TA2721 attack chain with the identified sample: Subject: COMPROBANTE DE PAGO LOGSITICA CARACAS CA Sender: logvenccs@doca-safety[.]com Attachment: comprobante de pago corporacion alfeca, c.a..pdf PDF: 5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee3e09af8244e Bandook: 561cb93118fef1966a3233ae7ffd31017823dd5aaad5dc1b2542e717055c197a _Figure 3: TA2721 attack chain._ The email contains a PDF attachment. A URL inside the PDF leads to a password protected RAR archive. The password for the RAR can be found in the initial PDF attachment (123456). Although the threat actors have changed URL shorteners and C2 domains, the archive password remains the same in every campaign. _Figure 4: PDF containing a link to malware hosted on the Spider Oak filesharing service._ The PDF contains the following URL: hxxps[:]//bit[.]ly/bcomprob-sbaa1 ----- c d ects to hxxps[:]//spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMNBSHE2TM/shared/1764556-1-1104/COMPROBANTE[.]rar? e22cde1331099985a6339fac899e3ebe And downloads COMPROBANTE.rar with the following hash: 39ce7b1e2dc1d4fe3bee24a9be8bea52bcb9028b50090731e5fff586106c264f The extracted file contains the following Bandook executable: Filename: COMPROBANTE.exe Hash: 561cb93118fef1966a3233ae7ffd31017823dd5aaad5dc1b2542e717055c197a The executable is packed multiple times (e.g. UPX). The strings are base64 encoded and encrypted which makes it difficult to reverse engineer. When executed, it creates a new Internet Explorer process (iexplore.exe) and injects the Bandook payload into it. This [process is called Process Hollowing.](https://attack.mitre.org/techniques/T1055/012/%22%20/) Bandook maintains persistence by creating a copy of itself and adding an entry to the run keys in the Microsoft Registry pointing to the copy that will load every time a user logs on. Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xxhgjyljicoftqsffwxx Data: C:\Users\[user]\AppData\Roaming\xxhgjyljicoftqsffwxx\xxhgjyljicoftqsffwxx.exe [The Bandook version used by the Caliente Bandits actor is similar to the one reported by Checkpoint in November 2020. The identified](https://research.checkpoint.com/2020/bandook-signed-delivered/) samples also use AES encryption in CFB mode for C2 communication using a hardcoded key, and an initialization vector (IV) which is not part of the publicly available Bandook versions. Bandook Configuration Primary C2: r3[.]panjo[.]club:7893 Fallback C2: hxxp[:]//ladvsa[.]club/Hayauaia/ AES_CFB_Key: HuZ82K83ad392jVBhr2Au383Pud82AuF AES_CFB_IV: 0123456789123456 So far Proofpoint has observed only one hardcoded AES Key and IV value used by Caliente Bandits. The payload connects to the C2 server over TCP and sends AES Encrypted basic information about the infected machine to the C2 server. There is a main C2 domain and port, but also at least one fallback C2 server. Example C2 communication: An encrypted TCP Beacon is sent to r3[.]panjo[.]club:7893. NI3B/VGNQOWJuJcQAnbGe/G61uhAy4GYmdnmFINKBGqWguDaTfoBUpvbIU+eXfiFOuOFhoFBB082Csj3qSZuKOG4HeBWO28K85yCos0NNYO Analyst Note: The AES encrypted traffic is always suffixed by “&&&”. The decrypted TCP Beacon that was sent to r3[.]panjo[.]club:7893. !O12HYV~!22535~!192.168.0.107~!XTWGHENV~!dwrsApXT~!Seven~!0d 3h 24m~!0~!5.2~!JN2021~!0~!0~!0~!0~!~!0~!0-~!None~!0~!21/6/2021~! [The decoded and decrypted TCP Beacon looks like Bandook C2 communication observed in previously reported incidents. Various](https://wiki.proofpoint.com/wiki/pages/createpage.action?spaceKey=TR&title=2&linkCreation=true&fromPageId=388996696) basic system information is appended with “~!” as a delimiter. Value Purpose O12HYV Unknown, possibly unique victim ID 22535 Unknown, possible set Registry value for persistence ----- 192[.]168[.]0[.]107 IP address of infected machine XTWGHENV Computer name dwrsApXT Username Seven Operating System (Windows 7, Windows 10, etc.) 0d 3h 24m Uptime 0 Unknown 5.2 Unknown, possible Bandook versioning JN2021 Unknown, possible campaign date or ID 21/6/2021 Current date Proofpoint identified a third C2 server which pointed to a localhost address in all Bandook samples associated with TA2721. hxxp[:]//localhost:9991/KBL/ Proofpoint believes that this an artifact of the actor testing the malware that was mistakenly included by the actor after testing and attacking victims in real campaigns. ## Conclusion Proofpoint assesses TA2721 will continue to use of a limited set of Bandook malware variants, similar infection chain, and a select few C2 domains . The specific targeting suggests the threat actor conducts some reconnaissance on target entities before sending email threats. Proofpoint researchers anticipate this actor will continue to use similar email lures, infection chains, and passwords while rotating through C2 domains. **Indicators of Compromise (IOCs)** **IOC** **IOC** **Type** ba1355c5e24c431a34bae10915f7cc9b4b1a8843dc79d9c63f1a13f0f9d099f7 SHA256 Hash **Description** “cotizacion corporacion PDF June 21st hxxps[:]//bit[.]ly/acotiz-abaa1 URL URL inside PDF June 2 hxxps[:]//spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMNBSHE2TM/shared/17645561-1105/COTIZACION 21[.]rar?17afe9bc9463ab5de84bd956cf4dfa9e URL Unshortened Bitly URL a37c79c57ae9e2d681e5f9ef92798278d2bec68bcd91f08d96768e3fe8d5af19 SHA256 Hash 561cb93118fef1966a3233ae7ffd31017823dd5aaad5dc1b2542e717055c197a SHA256 Hash “COTIZACION 21.rar” Downloaded Rar archiv 21st (password: 123456 “COTIZACION 21.exe” inside Rar June 21st r3[.]panjo[.]club:7893 C2 Primary C2 of Bandook 21st hxxp[:]//ladvsa[.]club/Hayauaia/ C2 Fallback C2 of Bandook 21st ----- 5eaa1f5305f4c25292dff29257cd3e14ba3f956f6f8ddb206c0ee3e09af8244e SHA256 Hash ”comprobante de pago c c.a..pdf” PDF June 21st hxxps[:]//bit[.]ly/bcomprob-sbaa1 URL URL inside PDF June 2 hxxps[:]//spideroak[.]com/storage/OVPXG4DJMRSXE33BNNPWC5LUN5PTMNBSHE2TM/shared/17645561-1104/COMPROBANTE[.]rar?e22cde1331099985a6339fac899e3ebe URL Unshortened Bitly URL 39ce7b1e2dc1d4fe3bee24a9be8bea52bcb9028b50090731e5fff586106c264f SHA256 Hash 561cb93118fef1966a3233ae7ffd31017823dd5aaad5dc1b2542e717055c197a SHA256 Hash **ET Signatures** 2003549 - ET MALWARE Bandook v1.2 Initial Connection and Report 2003550 - ET MALWARE Bandook v1.2 Get Processes 2003551 - ET MALWARE Bandook v1.2 Kill Process Command 2003552 - ET MALWARE Bandook v1.2 Reporting Socks Proxy Active 2003553 - ET MALWARE Bandook v1.2 Reporting Socks Proxy Off 2003554 - ET MALWARE Bandook v1.2 Client Ping Reply 2003555 - ET MALWARE Bandook v1.35 Initial Connection and Report 2003556 - ET MALWARE Bandook v1.35 Keepalive Send 2003557 - ET MALWARE Bandook v1.35 Keepalive Reply 2003558 - ET MALWARE Bandook v1.35 Create Registry Key Command Send 2003559 - ET MALWARE Bandook v1.35 Create Directory Command Send 2003560 - ET MALWARE Bandook v1.35 Window List Command Send 2003561 - ET MALWARE Bandook v1.35 Window List Reply 2003562 - ET MALWARE Bandook v1.35 Get Processes Command Send 2003563 - ET MALWARE Bandook v1.35 Start Socks5 Proxy Command Send 2003564 - ET MALWARE Bandook v1.35 Socks5 Proxy Start Command Reply 2003565 - ET MALWARE Bandook v1.35 Get Processes Command Reply 2003937 - ET MALWARE Bandook iwebho/BBB-phish trojan leaking user data 2805272 - ETPRO MALWARE Bandook Variant CnC Checkin 2810120 - ETPRO MALWARE Bandook Retrieving Payloads set 2810121 - ETPRO MALWARE Bandook Retrieving Payloads 2810122 - ETPRO MALWARE Bandook Initial HTTP CnC Beacon 2810123 - ETPRO MALWARE Bandook Initial HTTP CnC Beacon Response 2810124 - ETPRO MALWARE Bandook HTTP CnC Beacon M1 2810125 - ETPRO MALWARE Bandook HTTP CnC Beacon M2 2810126 - ETPRO MALWARE Bandook HTTP CnC Beacon M3 2810127 - ETPRO MALWARE Bandook HTTP CnC Beacon Response “COMPROBANTE.rar” Downloaded Rar archiv 21st (password: 123456 “COMPROBANTE.exe” inside Rar June 21st ----- 8 0 8 O a doo C C C eaco 2810129 - ETPRO MALWARE Bandook TCP CnC Beacon Response 2814671 - ETPRO MALWARE Bandook Retrieving Payload (cap) 2814672 - ETPRO MALWARE Bandook Retrieving Payload (tv) 2839949 - ETPRO MALWARE Bandook v0.5FM TCP CnC Beacon 2841218 - ETPRO MALWARE Bandook TCP CnC Beacon 2841802 - ETPRO MALWARE Suspected Bandook CnC M1 2841803 - ETPRO MALWARE Suspected Bandook CnC Response 2845793 - ETPRO MALWARE Suspected Bandook CnC M2 2848605 - ETPRO MALWARE Bandook TCP CnC Beacon Keep-Alive (Inbound) 2848616 - ETPRO MALWARE Bandook TCP CnC Beacon Keep-Alive (Inbound) 2848728 - ETPRO MALWARE Bandook v0.5FM TCP CnC Beacon M2 Subscribe to the Proofpoint Blog -----