S0268 Bisonal
Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.12
| Item | Value |
|---|---|
| ID | S0268 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 17 October 2018 |
| Last Modified | 18 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Bisonal has used HTTP for C2 communications.13 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Bisonal has added itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.132 |
| enterprise | T1059.005 | Visual Basic | Bisonal‘s dropper creates VBS scripts on the victim’s machine.12 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Bisonal has been modified to be used as a Windows service.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Bisonal has encoded binary data with Base64 and ASCII.32 |
| enterprise | T1005 | Data from Local System | Bisonal has collected information from a compromised host.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Bisonal has decoded strings in the malware using XOR and RC4.12 |
| enterprise | T1568 | Dynamic Resolution | Bisonal has used a dynamic DNS service for C2.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.132 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Bisonal has added the exfiltrated data to the URL over the C2 channel.2 |
| enterprise | T1083 | File and Directory Discovery | Bisonal can retrieve a file listing from the system.32 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Bisonal will delete its dropper and VBS scripts from the victim’s machine.132 |
| enterprise | T1105 | Ingress Tool Transfer | Bisonal has the capability to download files to execute on the victim’s machine.132 |
| enterprise | T1036 | Masquerading | Bisonal dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script.2 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Bisonal has renamed malicious code to msacm32.dll to hide within a legitimate library; earlier versions were disguised as winhelp.2 |
| enterprise | T1112 | Modify Registry | Bisonal has deleted Registry keys to clean up its prior activity.2 |
| enterprise | T1106 | Native API | Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.2 |
| enterprise | T1095 | Non-Application Layer Protocol | Bisonal has used raw sockets for network communication.2 |
| enterprise | T1027 | Obfuscated Files or Information | Bisonal‘s DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.12 |
| enterprise | T1027.001 | Binary Padding | Bisonal has appended random binary data to the end of itself to generate a large binary.2 |
| enterprise | T1027.002 | Software Packing | Bisonal has used the MPRESS packer and similar tools for obfuscation.2 |
| enterprise | T1137 | Office Application Startup | - |
| enterprise | T1137.006 | Add-ins | Bisonal has been loaded through a .wll extension added to the %APPDATA%\microsoft\word\startup\ repository.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Bisonal has been delivered as malicious email attachments.2 |
| enterprise | T1057 | Process Discovery | Bisonal can obtain a list of running processes on the victim’s machine.132 |
| enterprise | T1090 | Proxy | Bisonal has supported use of a proxy server.2 |
| enterprise | T1012 | Query Registry | Bisonal has used the RegQueryValueExA function to retrieve proxy information in the Registry.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\”vert” = “rundll32.exe c:\windows\temp\pvcu.dll , Qszdez”.1 |
| enterprise | T1082 | System Information Discovery | Bisonal has used commands and API calls to gather system information.132 |
| enterprise | T1016 | System Network Configuration Discovery | Bisonal can execute ipconfig on the victim’s machine.132 |
| enterprise | T1124 | System Time Discovery | Bisonal can check the system time set on the infected host.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Bisonal can check to determine if the compromised system is running on VMware.2 |
| enterprise | T1497.003 | Time Based Evasion | Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.32 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0131 | Tonto Team | 342 |
References
-
Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021. ↩