Keypoints
- Delivery: A malicious PDF with a shortened URL downloads a password-protected .7z; extracting the archive provides the Bandook payload.
- Injection: An injector component decrypts a resource payload and injects it into a new msinfo32.exe process, using PID-named registry keys for control.
- Control codes: Registry-stored string control codes (not numbers) drive behavior; “GUM” establishes persistence and “ACG” enables module downloads.
- Persistence: GUM drops SMC.exe or SMC.cpl to %APPDATA%SMC and creates Run/Winlogon/Load registry entries to auto-execute the copy.
- C2 and modules: The payload can download fcd.dll/pcd.dll or other executables from C2, call exported functions (e.g., Init), and use a formatted command protocol ({Command}~!{Arg2}~!…).
- Capabilities: Commands cover file read/write/exfil (@0003/@0004), file write (@0006/@0007), Python execution (@0126–@0128), screen monitoring and control (@0124), browser cookie collection (@0139), and fallback C2 URLs (@0138).
- IOCs: Fortinet published C2 IPs (77[.]91[.]100[.]237, 45[.]67[.]34[.]219), multiple file hashes, and registry key names used for control and backups.
MITRE Techniques
- [T1204.002] User Execution – Delivery via a PDF that contains a shortened URL which “downloads a password-protected .7z file. After the victim extracts the malware…”
- [T1055] Process Injection – The injector “decrypts the payload in the resource table and injects it into msinfo32.exe.”
- [T1547.001] Registry Run Keys/Start Folder – Persistence created by dropping SMC.exe/SMC.cpl and writing Run/Winlogon/Load registry values: “creates a registry key to automatically execute the copy.”
- [T1105] Ingress Tool Transfer – Payload can “download files for other modules, including fcd.dll, pcd.dll, an executable file,” from C2 or via downloads.
- [T1071.001] Application Layer Protocol – C2 communication sends victim info and receives commands using formatted packets: “{Command}~!{Arg2}~!{Arg3}~!…” and encrypted traffic.
- [T1041] Exfiltration Over C2 Channel – File exfiltration via commands such as @0003/@0004 where “Bandook sends the file specified by Arg2 to the C2 server.”
- [T1113] Screen Capture – The @0124 command causes Bandook to monitor the victim’s screen and “creates another thread to keep sending screenshots to the server.”
- [T1562.001] Impair Defenses: Disable or Modify Tools – Bandook “overwrites the config file of Firefox pref.js” and “disables protection mechanisms in Microsoft Edge” to weaken browser protections.
Indicators of Compromise
- [IP] C2 servers – 77[.]91[.]100[.]237, 45[.]67[.]34[.]219
- [File hash] Malware binaries observed – 8904ce99827280e447cb19cf226f814b24b0b4eec18dd758e7fb93476b7bf8b8, d3e7b5be903eb9a596b9b2b78e5dd28390c6aadb8bdd4ea1ba3d896d99fa0057, and 5 more hashes.
- [File name] Persistence artifacts – %APPDATA%SMCSMC.exe, %APPDATA%SMCSMC.cpl (dropped SMC copy used for autostart).
- [DLL] Downloaded modules – fcd.dll, pcd.dll (modules downloaded and invoked by the payload).
- [Registry key] Control/backups – PID-named registry keys used for control; kPYXM under HKCUSoftwareAkZhAyV0 (encrypted backup URLs); pthma under HKCUSoftware (used for {Parent directory}).
- [Delivery] Malicious document mechanism – PDF containing a shortened URL that retrieves a password-protected .7z archive which contains the payload.
The technical infection chain begins with a PDF that points to a shortened URL hosting a password-protected .7z archive; when the user extracts it with the provided password, an injector executable decrypts a payload resource and spawns a new msinfo32.exe process, writing registry keys named with the target PID to store string control codes. The injected payload initializes its strings and APIs, looks up the PID-named registry key, decodes the stored control-code value (e.g., “GUM” for persistence, “ACG” for module download), and executes actions based on those codes rather than numeric flags.
GUM causes the malware to drop a copy to %APPDATA%SMC (as SMC.exe or SMC.cpl) and establish autostart via Run, Winlogon shell, and Windows Load entries. ACG enables downloading of modules (fcd.dll, pcd.dll, executables) from the C2 or other hosts; downloaded DLLs are loaded and their exported functions (for example, Init) are invoked, with registry key names passed as arguments. Complex actions are implemented across multiple commands and registry keys—for example, file-read uses @0003 then waits for @0004 before sending the specified file to the C2, and file-write uses @0006/@0007 in a similar two-step pattern.
The C2 protocol is formatted as {Command}~!{Arg2}~!{Arg3}~!…, supports up to hundreds of command IDs, and includes capabilities such as Python execution (@0126–@0128 running Libdpx.pyc via ShellExecute), screen monitoring and remote control (@0124 which overwrites Firefox pref.js, disables Edge protections, creates a virtual desktop, and sends “AVE_MARIA” plus a control number before streaming screenshots), cookie harvesting (@0139 saving browser cookies to Default.json in a zip), and fallback encrypted backup URLs (@0138 written to kPYXM for sequential retry). Newer variants also streamline control-code usage and remove unused codes, but retain ACG and GUM as primary functional controls.
Read more: https://www.fortinet.com/blog/threat-research/bandook-persistent-threat-that-keeps-evolving