Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)
ID: S0239
Associated Software: Trojan Manuscript
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 Oct 2018
Last Modified: 30 Mar 2020

Associated Software Descriptions

Name Description
Trojan Manuscript (Citation: McAfee Bankshot)

Techniques Used

Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.(Citation: McAfee Bankshot)

Enterprise T1087 .001 Account Discovery: Local Account

Bankshot gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot)

.002 Account Discovery: Domain Account

Bankshot gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Bankshot uses HTTP for command and control communication.(Citation: McAfee Bankshot)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Bankshot uses the command-line interface to execute arbitrary commands.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Bankshot can terminate a specific process by its process id.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)

Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

Bankshot encodes commands from the control server using a range of characters and gzip.(Citation: McAfee Bankshot)

Enterprise T1001 .003 Data Obfuscation: Protocol or Service Impersonation

Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.(Citation: MAR10135536-B)

Enterprise T1070 .004 Indicator Removal: File Deletion

Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.(Citation: McAfee Bankshot)

.006 Indicator Removal: Timestomp

Bankshot modifies the time of a file as specified by the control server.(Citation: McAfee Bankshot)

Groups That Use This Software

ID Name References
G0032 Lazarus Group

(Citation: McAfee Bankshot)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.