S0127 BBSRAT
BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. 1
| Item | Value |
|---|---|
| ID | S0127 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.002 | Archive via Library | BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe. |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | BBSRAT can modify service configurations.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BBSRAT uses Expand to decompress a CAB file into executable content.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.1 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.015 | Component Object Model Hijacking | BBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList {42aedc87-2188-41fd-b9a3-0c966feabec1} or Microsoft WBEM New Event Subsystem {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} depending on the system’s CPU architecture.1 |
| enterprise | T1083 | File and Directory Discovery | BBSRAT can list file and directory information.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | BBSRAT can delete files and directories.1 |
| enterprise | T1057 | Process Discovery | BBSRAT can list running processes.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.1 |
| enterprise | T1007 | System Service Discovery | BBSRAT can query service configuration information.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | BBSRAT can start, stop, or delete services.1 |