Go to listing page

Dark Caracal APT Reappears with a New Version of Bandook Spyware

Dark Caracal APT Reappears with a New Version of Bandook Spyware
The lesser-known Dark Caracal APT group, which first appeared in 2018, has resurfaced with a new campaign that focuses on infecting computers in Central and Latin America. The group has been active since March 2022, infecting hundreds of Windows computers in more than a dozen countries.

Latest activity observed

Researchers from Lookout Security discovered that the Dark Caracal APT is currently using a new version of Bandook spyware to target Windows systems. 
  • So far more than 700 computers have been infected by the malware, with a majority of them (approximately 75%) located in The Dominican Republic and 20% identified in Venezuela. 
  • These attacks primarily leverage the watering hole technique to stay under the radar.

About the new Bandook spyware variant

  • The new version of Bandook spyware has been updated with 148 unique commands to infect Windows computers. 
  • The commands include capabilities such as turning on the webcam, adding or removing files from the computer, taking control of the mouse, capturing screenshots, starting a remote desktop session, and downloading other libraries. 
  • Hackers have shifted from the first stage of the malware that uses GOST for payload encryption to DES for the encryption of its second-stage payload.
  • The key for decryption is derived from a passphrase by hashing it with the RIPEMD-128 algorithm.

Final words

Investigation shows that the attackers are dynamically changing to different IPs to infect more systems. Many of these IP addresses belong to commodity routers on consumer ISP networks. As the campaign remains active, vulnerable organizations must watch out for IOCs associated with the threat actors and the malware to take necessary preventive measures.
Cyware Publisher

Publisher

Cyware