BBSRAT

BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.(Citation: Palo Alto Networks BBSRAT)

BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.(Citation: Palo Alto Networks BBSRAT)

BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe.

BBSRAT can modify service configurations.(Citation: Palo Alto Networks BBSRAT)

BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.(Citation: Palo Alto Networks BBSRAT)

BBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList {42aedc87-2188-41fd-b9a3-0c966feabec1} or Microsoft WBEM New Event Subsystem {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} depending on the system's CPU architecture.(Citation: Palo Alto Networks BBSRAT)

DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.(Citation: Palo Alto Networks BBSRAT)

BBSRAT can delete files and directories.(Citation: Palo Alto Networks BBSRAT)

BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.(Citation: Palo Alto Networks BBSRAT)

BBSRAT can start, stop, or delete services.(Citation: Palo Alto Networks BBSRAT)