Bisonal
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Bisonal has used HTTP for C2 communications.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Bisonal has added itself to the Registry key |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) |
.005 | Command and Scripting Interpreter: Visual Basic |
Bisonal's dropper creates VBS scripts on the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Bisonal has been modified to be used as a Windows service.(Citation: Talos Bisonal Mar 2020) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Bisonal has encoded binary data with Base64 and ASCII.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Bisonal will delete its dropper and VBS scripts from the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Bisonal has renamed malicious code to `msacm32.dll` to hide within a legitimate library; earlier versions were disguised as `winhelp`.(Citation: Talos Bisonal Mar 2020) |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Bisonal has appended random binary data to the end of itself to generate a large binary.(Citation: Talos Bisonal Mar 2020) |
.002 | Obfuscated Files or Information: Software Packing |
Bisonal has used the MPRESS packer and similar tools for obfuscation.(Citation: Talos Bisonal Mar 2020) |
||
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) |
||
Enterprise | T1137 | .006 | Office Application Startup: Add-ins |
Bisonal has been loaded through a `.wll` extension added to the ` %APPDATA%\microsoft\word\startup\` repository.(Citation: Talos Bisonal Mar 2020) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Bisonal has been delivered as malicious email attachments.(Citation: Talos Bisonal Mar 2020) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: |
Enterprise | T1204 | .002 | User Execution: Malicious File |
Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails.(Citation: Talos Bisonal Mar 2020) |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0131 | Tonto Team |
(Citation: Kaspersky CactusPete Aug 2020) (Citation: Secureworks BRONZE HUNTLEY ) (Citation: Talos Bisonal Mar 2020) |
References
- Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
- Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.