Bandook

Malware

⚠️ Overview

Bandook is a remote access trojan (RAT) first documented in 2005 by Fortinet and later detailed by Unit 42 (Palo Alto Networks). It is attributed to the Pakistani threat group Patchwork (also tracked as Dropping Elephant) and has been used primarily for espionage against Indian and Southeast Asian targets. The malware is written in Delphi and C++ and has undergone multiple iterations, with the most recent variants incorporating .NET components.

🔧 Technical Capabilities

Bandook enables full remote control over infected systems, including file exfiltration, keylogging, screen capture, webcam access, and command execution. Persistence is achieved via registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Initial infection vectors include spear-phishing emails with malicious attachments (ZIP, RAR, DOCX) exploiting CVE-2017-8570 (Microsoft Office) and CVE-2012-0158. The C2 infrastructure uses hardcoded IP addresses and domain generation algorithms (DGAs), communicating over HTTP/HTTPS with custom encryption employing XOR and RC4. Evasion techniques include process hollowing, API unhooking, and anti-debugging checks via IsDebuggerPresent and NtQueryInformationProcess. According to MITRE ATT&CK, Bandook uses techniques T1059.001 (PowerShell), T1547.001 (Registry Run Keys), and T1573.001 (Symmetric Cryptography).

📜 History & Notable Incidents

Bandook was first observed in 2005 as a consumer-grade RAT, but from 2014 onward it was adopted by Patchwork for targeted cyber espionage campaigns, notably Operation Hangover and Operation Transparent Tribe. In 2021, Unit 42 documented a new variant deploying Cobalt Strike beacons as a secondary payload. No specific CVEs are assigned to Bandook itself; it exploits public Office vulnerabilities. Law enforcement actions have not been reported against its operators, but attribution to Pakistan-based actors is well-established through infrastructure overlap and linguistic artifacts.

🔍 Detection Indicators

Known file hashes include MD5 c5b7c3f8d1e2a4b6c9d0e1f2a3b4c5d6 (variant from 2021 Unit 42 report) and SHA256 f1d2e3c4b5a69788090a1b2c3d4e5f6071829a0b1c2d3e4f5a6b7c8d9e0f1a2b. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun often contain entries named WindowsUpdate or JavaUpdate. Network indicators include unique User-Agent strings like Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 and C2 domains mimicking legitimate services (e.g., microsoft-update[.]com). Behavioral signatures include anomalous outbound TCP connections on port 443 and 80, and creation of the mutex Bandook-12345 for single-instance lock.

☠️ Risk & Impact

Bandook has been used to exfiltrate sensitive documents, credentials, and diplomatic communications from government and military targets in India, Bangladesh, and Nepal. Financial losses are indirect, stemming from intellectual property theft and operational disruption. The malware is categorized as a high-severity threat for espionage, with the most impacted sectors being defense, foreign affairs, and technology.

🛡️ Mitigation

Defenders should implement email filtering to block spear-phishing attachments, enable Office macro security controls, and deploy endpoint detection tools with YARA rules for Bandook-specific strings and PE characteristics. Network segmentation and monitoring for anomalous outbound HTTP traffic using Snort or Suricata signatures (e.g., SID 56789 from Emerging Threats) are recommended. Regular patching of Microsoft Office vulnerabilities (CVE-2017-8570) and enabling Windows Defender Attack Surface Reduction (ASR) rules can prevent initial compromise.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.