近日,安全公司Fortinet FortiGuard Labs发布报告,揭露了一种名为Bandook的远程访问变种木马。该木马主要针对Windows 10、Windows 11等设备,可通过窃取敏感信息对用户造成损失。
Bandook最早可追溯到2007年,当时被描述为一种具有多种功能的成品恶意软件。本次曝光的最新版本通过钓鱼邮件传播,攻击者发送恶意PDF文件,其中嵌入了一个指向受密码保护的.7z压缩文件的链接。受害者提取密码后,恶意软件会将有效载荷注入msinfo32.exe,这是一个合法的Windows二进制文件,用于收集系统信息。
Bandook会更改Windows注册表,确保在后台运行,然后向其命令与控制(C2)服务器发出进一步指令。这些行为大致可分为文件操作、注册表操作、下载、信息窃取、文件执行、调用C2中DLL函数、控制受害者的计算机、卸载恶意软件等。
广告声明:本文含有的对外跳转链接,用于传递更多信息,节省甄选时间,结果仅供参考。
Title: Bandook Remote Access Trojan Exposed: Stealing Sensitive Information
Keywords: Bandook, Remote Access Trojan, Sensitive Information Theft
News Content:
Recently, security company Fortinet FortiGuard Labs has exposed a remote access variant of the trojan named Bandook. This trojan mainly targets devices running Windows 10 and Windows 11, stealing sensitive information from users.
Bandook can be traced back to 2007 when it was described as a malicious software with multiple functions. The latest version exposed this time spreads through phishing emails, with attackers sending malicious PDF files embedded with a link to a password-protected .7z compressed file. After the victim extracts the password, the malicious software injects its payload into msinfo32.exe, a legitimate Windows binary file used for collecting system information.
Bandook modifies the Windows registry to ensure background operation, then sends further instructions to its command and control (C2) server. These actions can be divided into file operations, registry operations, downloads, information theft, file execution, calling DLL functions in C2, controlling the victim’s computer, uninstalling malicious software, etc.
Advertising disclaimer: The external links contained in this article are for disseminating information, saving selection time, and providing reference results only.
【来源】https://www.ithome.com/0/743/705.htm
Views: 1