Bankshot
Associated Software Descriptions |
|
Name | Description |
---|---|
Trojan Manuscript | (Citation: McAfee Bankshot) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.(Citation: McAfee Bankshot) |
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Bankshot gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot) |
.002 | Account Discovery: Domain Account |
Bankshot gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Bankshot uses HTTP for command and control communication.(Citation: McAfee Bankshot) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Bankshot uses the command-line interface to execute arbitrary commands.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Bankshot can terminate a specific process by its process id.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017) |
Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
Bankshot encodes commands from the control server using a range of characters and gzip.(Citation: McAfee Bankshot) |
Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation |
Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.(Citation: MAR10135536-B) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.(Citation: McAfee Bankshot) |
.006 | Indicator Removal: Timestomp |
Bankshot modifies the time of a file as specified by the control server.(Citation: McAfee Bankshot) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |
(Citation: McAfee Bankshot) |
References
- US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved August 15, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.