Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Bisonal
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Bisonal
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Bisonal

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)
ID: S0268
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 17 Oct 2018
Last Modified: 18 Apr 2022

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Bisonal has used HTTP for C2 communications.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Bisonal has added itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)
.005 Command and Scripting Interpreter: Visual Basic

Bisonal's dropper creates VBS scripts on the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Bisonal has been modified to be used as a Windows service.(Citation: Talos Bisonal Mar 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Bisonal has encoded binary data with Base64 and ASCII.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

Bisonal will delete its dropper and VBS scripts from the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Bisonal has renamed malicious code to `msacm32.dll` to hide within a legitimate library; earlier versions were disguised as `winhelp`.(Citation: Talos Bisonal Mar 2020)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Bisonal has appended random binary data to the end of itself to generate a large binary.(Citation: Talos Bisonal Mar 2020)

.002 Obfuscated Files or Information: Software Packing

Bisonal has used the MPRESS packer and similar tools for obfuscation.(Citation: Talos Bisonal Mar 2020)

Enterprise T1137 .006 Office Application Startup: Add-ins

Bisonal has been loaded through a `.wll` extension added to the ` %APPDATA%\microsoft\word\startup\` repository.(Citation: Talos Bisonal Mar 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Bisonal has been delivered as malicious email attachments.(Citation: Talos Bisonal Mar 2020)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\”vert” = “rundll32.exe c:\windows\temp\pvcu.dll , Qszdez”.(Citation: Unit 42 Bisonal July 2018)
Enterprise T1204 .002 User Execution: Malicious File

Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails.(Citation: Talos Bisonal Mar 2020)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

Groups That Use This Software
ID Name References
G0131 Tonto Team

(Citation: Kaspersky CactusPete Aug 2020) (Citation: Secureworks BRONZE HUNTLEY ) (Citation: Talos Bisonal Mar 2020)

References

  1. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  2. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  3. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  4. Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.