Caliente Bandits Target Spanish Speaking Individuals to Spread Bandook Malware
A new hacking gang TA2721 also commonly known as Caliente Bandits has been tracked by Proofpoint researchers since January 2021. As per the researchers, the group is actively targeting many industries, primarily focusing on entertainment and finance.
The organization is distributing a known but rarely employed, RAT trojan known as Bandook; they are using the Spanish language lures to do so. Researchers have labeled the group ‘Caliente Bandits’ as they use the hot-mail accounts. The Spanish term “Caliente” refers to “hot.”
Researchers with evidence had started tracking this group in January 2021 and it was observed around April that TA2721 distributes Bándok’s weekly email threats. Although the group is attacking several organizations across the world, those with Spanish surnames remain the primary target. It is worth noting that the ESET cybersecurity company initially disclosed malware data used by the group.
The campaign uses the very same budget or transaction theme to encourage users to download a PDF repetitively. A URL and password are included in the attached PDF which leads to the installation of a Bandook password-protected package.
According to Proofpoint, TA2721 sent emails in 2021, to fewer than 100 organizations. This list covered institutions in the United States, Europe, and South America. These attacks concentrated mostly on organizations with Spanish surnames like Pérez, Castillo, Ortiz, etc.
Reportedly, two variants of Bandook, commodities malware, were spread by the threat actor. Meanwhile, scientists observed the wrongdoer adopting detection evasion measures such as infected archives’ password encryption.
The threat actor would often send links from Hotmail or Gmail addresses to the Bandook download. Terms such as “PRESUPUEST” and “COTIZACION” are generally found in subject lines and email names. However, the actor shared URLs directly in one effort in June. Researchers have found that URLs used abbreviated URLs from bit.ly and rebrand.ly, which they have observed from January to June 2021. These links redirected to Spideroak[.]com, a real hosting file, for a counterfeit RAR file to be downloaded.
The Bandook – Remote Access Technology (RAT), which has been accessible commercially in the wild since 2007, was written in Delphi. It could be used for audio and video capturing and recording, keylogging, and data theft.
The evidence suggests that TA2721 will continue to use a small number of malware variants from Bandook, a comparable chain of infections, and pick few C2 domains. The precise targeting shows that the threat actor recognizes target entities prior to email threats are sent.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.