BRONZE BUTLER
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| REDBALDKNIGHT | (Citation: Trend Micro Daserf Nov 2017)(Citation: Trend Micro Tick November 2019) |
| Tick | (Citation: Trend Micro Daserf Nov 2017)(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019) |
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
BRONZE BUTLER has used |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BRONZE BUTLER malware has used HTTP for C2.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
BRONZE BUTLER has used PowerShell for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
BRONZE BUTLER has used batch scripts and the command-line interface for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
BRONZE BUTLER has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019) |
||
| .006 | Command and Scripting Interpreter: Python |
BRONZE BUTLER has made use of Python-based remote access tools.(Citation: Trend Micro Tick November 2019) |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.(Citation: Trend Micro Tick November 2019) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.(Citation: Trend Micro Tick November 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
The BRONZE BUTLER uploader or malware the uploader uses |
| Enterprise | T1036 | .002 | Masquerading: Right-to-Left Override |
BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.(Citation: Trend Micro Tick November 2019) |
| .005 | Masquerading: Match Legitimate Name or Location |
BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019) |
| .003 | Obfuscated Files or Information: Steganography |
BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.(Citation: Trend Micro Tick November 2019) |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.(Citation: Symantec Tick Apr 2016) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019) |
| Enterprise | T1053 | .002 | Scheduled Task/Job: At |
BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| .005 | Scheduled Task/Job: Scheduled Task |
BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
||
| Enterprise | T1550 | .003 | Use Alternate Authentication Material: Pass the Ticket |
BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.(Citation: Symantec Tick Apr 2016)(Citation: Trend Micro Tick November 2019) |
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
BRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
References
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.