Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Bisonal

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)
ID: S0268
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 17 Oct 2018
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Bisonal has used HTTP for C2 communications.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Bisonal has added itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

.005 Command and Scripting Interpreter: Visual Basic

Bisonal's dropper creates VBS scripts on the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Bisonal has been modified to be used as a Windows service.(Citation: Talos Bisonal Mar 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Bisonal has encoded binary data with Base64 and ASCII.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

Enterprise T1070 .004 Indicator Removal: File Deletion

Bisonal will delete its dropper and VBS scripts from the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Bisonal has renamed malicious code to `msacm32.dll` to hide within a legitimate library; earlier versions were disguised as `winhelp`.(Citation: Talos Bisonal Mar 2020)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Bisonal has appended random binary data to the end of itself to generate a large binary.(Citation: Talos Bisonal Mar 2020)

.002 Obfuscated Files or Information: Software Packing

Bisonal has used the MPRESS packer and similar tools for obfuscation.(Citation: Talos Bisonal Mar 2020)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Enterprise T1137 .006 Office Application Startup: Add-ins

Bisonal has been loaded through a `.wll` extension added to the ` %APPDATA%\microsoft\word\startup\` repository.(Citation: Talos Bisonal Mar 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Bisonal has been delivered as malicious email attachments.(Citation: Talos Bisonal Mar 2020)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\”vert” = “rundll32.exe c:\windows\temp\pvcu.dll , Qszdez”.(Citation: Unit 42 Bisonal July 2018)

Enterprise T1204 .002 User Execution: Malicious File

Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails.(Citation: Talos Bisonal Mar 2020)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

Groups That Use This Software

ID Name References
G0131 Tonto Team

(Citation: Kaspersky CactusPete Aug 2020) (Citation: Secureworks BRONZE HUNTLEY ) (Citation: Talos Bisonal Mar 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.