Skip to content

S0239 Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. 1

Item Value
ID S0239
Associated Names Trojan Manuscript
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Trojan Manuscript 1

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.002 Create Process with Token Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.1
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Bankshot gathers domain and account names/information through process monitoring.1
enterprise T1087.002 Domain Account Bankshot gathers domain and account names/information through process monitoring.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Bankshot uses HTTP for command and control communication.1
enterprise T1119 Automated Collection Bankshot recursively generates a list of files within a directory and sends them back to the control server.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Bankshot uses the command-line interface to execute arbitrary commands.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Bankshot can terminate a specific process by its process id.12
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding Bankshot encodes commands from the control server using a range of characters and gzip.1
enterprise T1005 Data from Local System Bankshot collects files from the local system.1
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.2
enterprise T1140 Deobfuscate/Decode Files or Information Bankshot decodes embedded XOR strings.2
enterprise T1041 Exfiltration Over C2 Channel Bankshot exfiltrates data over its C2 channel.1
enterprise T1203 Exploitation for Client Execution Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.1
enterprise T1083 File and Directory Discovery Bankshot searches for files on the victim’s machine.2
enterprise T1070 Indicator Removal Bankshot deletes all artifacts associated with the malware from the infected machine.2
enterprise T1070.004 File Deletion Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.1
enterprise T1070.006 Timestomp Bankshot modifies the time of a file as specified by the control server.1
enterprise T1105 Ingress Tool Transfer Bankshot uploads files and secondary payloads to the victim’s machine.2
enterprise T1112 Modify Registry Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.2
enterprise T1106 Native API Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().1
enterprise T1571 Non-Standard Port Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.2
enterprise T1057 Process Discovery Bankshot identifies processes and collects the process ids.1
enterprise T1012 Query Registry Bankshot searches for certain Registry keys to be configured before executing the payload.2
enterprise T1082 System Information Discovery Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.12

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1