Can malware first detected in 2007 still be active and dangerous? Considering Bandookthe answer to this question is undoubtedly yes.
We’re talking about a remote access trojan (RAT), widely spread online through attacks phishing and with the clear objective of taking possession of the systems Windows.
The new and more dangerous version of the malicious agent has been identified by FortiGuard Labs last October, resulting in a check and analysis of its functionality. According to experts, the malware is distributed via file PDFwith a link to an embedded within it .7z archive protected through password. The aforementioned PDF file contains a password which, if used on the archive, activates a dangerous payload.
This acts at the level of msinfo32.exe, a legitimate Windows file that collects information to diagnose operating system problems. Once activated, Bandook does more than just edit system logsbut goes on to establish direct contact with a command and control server, initiating the download and activation of other payloads.
Bandook, a RAT that has been active since 2007
As already mentioned, Bandook has been active for several years and, in this period of time, it has stood out compared to many other malware due to the wide range of features that make it an ideal tool for remotely taking control of an infected system.
FortiGuard Labs, by expert voice Pei Han Liao, explained how once Bandook has infiltrated a Windows system, it can act in a variety of ways. In this regard, we range from the further registry manipulations al information theftuntil’execution of unwanted files up to deactivation of certain software.
To avoid this type of danger, in addition to installing and maintaining an excellent antivirusit may be useful to do great attention when dealing with certain files received via email. As already stated, archives and PDF files can be considered as ideal vectors for spreading malicious agents online.