Skip to content

G0060 BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.123

Item Value
ID G0060
Associated Names REDBALDKNIGHT, Tick
Version 1.3
Created 16 January 2018
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
REDBALDKNIGHT 13
Tick 143

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.23
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account BRONZE BUTLER has used net user /domain to identify account information.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BRONZE BUTLER malware has used HTTP for C2.2
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.23
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell BRONZE BUTLER has used PowerShell for execution.2
enterprise T1059.003 Windows Command Shell BRONZE BUTLER has used batch scripts and the command-line interface for execution.2
enterprise T1059.005 Visual Basic BRONZE BUTLER has used VBS and VBE scripts for execution.23
enterprise T1059.006 Python BRONZE BUTLER has made use of Python-based remote access tools.3
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.2
enterprise T1005 Data from Local System BRONZE BUTLER has exfiltrated files stolen from local systems.2
enterprise T1039 Data from Network Shared Drive BRONZE BUTLER has exfiltrated files stolen from file shares.2
enterprise T1140 Deobfuscate/Decode Files or Information BRONZE BUTLER downloads encoded payloads and decodes them on the victim.2
enterprise T1189 Drive-by Compromise BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.4
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.2
enterprise T1203 Exploitation for Client Execution BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.43
enterprise T1083 File and Directory Discovery BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.2
enterprise T1105 Ingress Tool Transfer BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).2
enterprise T1036 Masquerading BRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF.3
enterprise T1036.002 Right-to-Left Override BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.3
enterprise T1036.005 Match Legitimate Name or Location BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.2
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding BRONZE BUTLER downloader code has included “0” characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.23
enterprise T1027.003 Steganography BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.3
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.4
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.43
enterprise T1018 Remote System Discovery BRONZE BUTLER typically use ping and Net to enumerate systems.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.002 At BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.2
enterprise T1053.005 Scheduled Task BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.2
enterprise T1113 Screen Capture BRONZE BUTLER has used a tool to capture screenshots.23
enterprise T1518 Software Discovery BRONZE BUTLER has used tools to enumerate software installed on an infected host.3
enterprise T1007 System Service Discovery BRONZE BUTLER has used TROJ_GETVERSION to discover system services.3
enterprise T1124 System Time Discovery BRONZE BUTLER has used net time to check the local time on a target system.2
enterprise T1080 Taint Shared Content BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share.2
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.003 Pass the Ticket BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.43
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver BRONZE BUTLER‘s MSGET downloader uses a dead drop resolver to access malicious payloads.2

Software

ID Name References Techniques
S0469 ABK 3 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Ingress Tool Transfer Steganography:Obfuscated Files or Information Process Injection Security Software Discovery:Software Discovery
S0110 at 2 At:Scheduled Task/Job
S0473 Avenger 3 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Steganography:Obfuscated Files or Information Process Discovery Process Injection Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery
S0470 BBK 3 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Ingress Tool Transfer Native API Steganography:Obfuscated Files or Information Process Injection
S0471 build_downer 3 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Ingress Tool Transfer Masquerade Task or Service:Masquerading Native API Steganography:Obfuscated Files or Information Security Software Discovery:Software Discovery System Information Discovery System Time Discovery
S0106 cmd 2 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Lateral Tool Transfer System Information Discovery
S0187 Daserf 14 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Archive Collected Data Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Steganography:Data Obfuscation Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Software Packing:Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Screen Capture Code Signing:Subvert Trust Controls
S0472 down_new 3 Web Protocols:Application Layer Protocol Standard Encoding:Data Encoding Symmetric Cryptography:Encrypted Channel File and Directory Discovery Ingress Tool Transfer Process Discovery Security Software Discovery:Software Discovery Software Discovery System Information Discovery System Network Configuration Discovery
S0008 gsecdump 24 LSA Secrets:OS Credential Dumping Security Account Manager:OS Credential Dumping
S0002 Mimikatz 243 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 2 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0111 schtasks 2 Scheduled Task:Scheduled Task/Job
S0596 ShadowPad 5 File Transfer Protocols:Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Indicator Removal Ingress Tool Transfer Modify Registry Non-Application Layer Protocol Fileless Storage:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Scheduled Transfer System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S0005 Windows Credential Editor 24 LSASS Memory:OS Credential Dumping

References