S0239 Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. 1
| Item | Value |
|---|---|
| ID | S0239 |
| Associated Names | Trojan Manuscript |
| Type | MALWARE |
| Version | 1.2 |
| Created | 17 October 2018 |
| Last Modified | 22 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Trojan Manuscript | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.002 | Create Process with Token | Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.1 |
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Bankshot gathers domain and account names/information through process monitoring.1 |
| enterprise | T1087.002 | Domain Account | Bankshot gathers domain and account names/information through process monitoring.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Bankshot uses HTTP for command and control communication.1 |
| enterprise | T1119 | Automated Collection | Bankshot recursively generates a list of files within a directory and sends them back to the control server.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Bankshot uses the command-line interface to execute arbitrary commands.12 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Bankshot can terminate a specific process by its process id.12 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | Bankshot encodes commands from the control server using a range of characters and gzip.1 |
| enterprise | T1005 | Data from Local System | Bankshot collects files from the local system.1 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.003 | Protocol or Service Impersonation | Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Bankshot decodes embedded XOR strings.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Bankshot exfiltrates data over its C2 channel.1 |
| enterprise | T1203 | Exploitation for Client Execution | Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.1 |
| enterprise | T1083 | File and Directory Discovery | Bankshot searches for files on the victim’s machine.2 |
| enterprise | T1070 | Indicator Removal | Bankshot deletes all artifacts associated with the malware from the infected machine.2 |
| enterprise | T1070.004 | File Deletion | Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.1 |
| enterprise | T1070.006 | Timestomp | Bankshot modifies the time of a file as specified by the control server.1 |
| enterprise | T1105 | Ingress Tool Transfer | Bankshot uploads files and secondary payloads to the victim’s machine.2 |
| enterprise | T1680 | Local Storage Discovery | Bankshot gathers disk type and disk free space.12 |
| enterprise | T1112 | Modify Registry | Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.2 |
| enterprise | T1106 | Native API | Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().1 |
| enterprise | T1571 | Non-Standard Port | Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.2 |
| enterprise | T1057 | Process Discovery | Bankshot identifies processes and collects the process ids.1 |
| enterprise | T1012 | Query Registry | Bankshot searches for certain Registry keys to be configured before executing the payload.2 |
| enterprise | T1082 | System Information Discovery | Bankshot gathers system information, network addresses, and the operation system version.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 1 |
References
-
Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. ↩↩↩↩↩↩↩↩↩↩↩
-
US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved August 15, 2024. ↩