Cybersecurity experts uncover malware attack network in Latin America

Latin American corporates are at risk: spying malware campaigns uncovered

Malware spying on corporates revealed by experts.

Cybersecurity researchers and experts shared their concerns about massive malware attacks that target corporate networks in Latin America. It seems that attackers target Spanish-speaking countries corporates', especially ones based in Venezuela, and spy on their victims.

A Group of hackers, named Bandidos, use an upgraded variant of Bandook malware. Threat actors primarily focus on the targets of corporate networks in South America, spanning across manufacturing, construction, healthcare, software services, and retail sectors^[1].

Victims of recent attacks receive malicious emails with a PDF attachment, which contains a shortened URL to download a compressed archive hosted on Google Cloud, SpiderOak, or pCloud and the password to extract it^[2]. When the extraction process starts, the archive reveals a malware dropper that decodes and injects Bandook into an Internet Explorer process.

It can cause severe danger to any corporate system as it is stated that some of the main commands that could be affected include listing directory contents, manipulating files, taking screenshots, controlling the cursor on the machine, installing malicious DLLs, terminating running processes, downloading files from a specific URL, exfiltrating the results of the operations to a remote server, and even uninstalling itself from the infected machines.

Usage of Bandook malware pays off: millions stolen already

Bandidos, sometimes even known as Bandidos Revolution Team cause some problems in Latin American cyberspace. Gang's leader Héctor Ortiz Solares was arrested in 2019 as he reportedly recruited highly skilled hackers to create malware for the gang. The infamous gang used malware that was designed to exploit ATMs and attack Latin American banks. This resulted in millions of dollars being stolen through fraudulent transfers affecting several Mexican financial institutions^[3].

Hackers seem to rely mainly on Bandook and this time is no exception. Bandook is an old remote access trojan and there are even references to it being available online as early as 2005. Of course, organized groups were not documented until 2016^[4].

In recent years, Bandook Trojan seems to be coming back as three new samples were found — one of which supported 120 commands and if utilized, could hit government, financial, energy, food industry, healthcare, education, IT, and legal institutions located in Chile, Cyprus, Germany, Indonesia, Italy, Singapore, Switzerland, Turkey, and the U.S. Cybersecurity researchers state that Bandook is still a relevant tool for cybercriminals.

Latin America becomes the epicenter of cyber attacks

It seems that Latin America became a target for quite some cybersecurity hack groups. Usually, reasons for attacks are tied to money as financially motivated cyber threat activity is common in Brazil, Mexico, and Peru. Since 2017, ransomware incidents have become more and more frequent too.

Innovations of hackers became more dangerous too as, throughout 2020, Mandiant Threat Intelligence observed that threat actors' incidents increased 550% from the first quarter of 2020 to the first quarter of 2021^[5].

It is also widely speculated that state-sponsored campaigns in the region as of right now are not common, however, in the future could become the new cybercrime trend and could cause significant damage.