Skip to content

S0127 BBSRAT

BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. 1

Item Value
ID S0127
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.1
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe.
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service BBSRAT can modify service configurations.1
enterprise T1140 Deobfuscate/Decode Files or Information BBSRAT uses Expand to decompress a CAB file into executable content.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking BBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList {42aedc87-2188-41fd-b9a3-0c966feabec1} or Microsoft WBEM New Event Subsystem {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} depending on the system’s CPU architecture.1
enterprise T1083 File and Directory Discovery BBSRAT can list file and directory information.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion BBSRAT can delete files and directories.1
enterprise T1057 Process Discovery BBSRAT can list running processes.1
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.1
enterprise T1007 System Service Discovery BBSRAT can query service configuration information.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution BBSRAT can start, stop, or delete services.1

References