Skip to content

S0268 Bisonal

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.12

Item Value
ID S0268
Associated Names
Version 2.0
Created 17 October 2018
Last Modified 18 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Bisonal has used HTTP for C2 communications.13
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Bisonal has added itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.132
enterprise T1059.005 Visual Basic Bisonal‘s dropper creates VBS scripts on the victim’s machine.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Bisonal has been modified to be used as a Windows service.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Bisonal has encoded binary data with Base64 and ASCII.32
enterprise T1005 Data from Local System Bisonal has collected information from a compromised host.2
enterprise T1140 Deobfuscate/Decode Files or Information Bisonal has decoded strings in the malware using XOR and RC4.12
enterprise T1568 Dynamic Resolution Bisonal has used a dynamic DNS service for C2.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.132
enterprise T1041 Exfiltration Over C2 Channel Bisonal has added the exfiltrated data to the URL over the C2 channel.2
enterprise T1083 File and Directory Discovery Bisonal can retrieve a file listing from the system.32
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Bisonal will delete its dropper and VBS scripts from the victim’s machine.132
enterprise T1105 Ingress Tool Transfer Bisonal has the capability to download files to execute on the victim’s machine.132
enterprise T1036 Masquerading Bisonal dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script.2
enterprise T1036.005 Match Legitimate Name or Location Bisonal has renamed malicious code to msacm32.dll to hide within a legitimate library; earlier versions were disguised as winhelp.2
enterprise T1112 Modify Registry Bisonal has deleted Registry keys to clean up its prior activity.2
enterprise T1106 Native API Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.2
enterprise T1095 Non-Application Layer Protocol Bisonal has used raw sockets for network communication.2
enterprise T1027 Obfuscated Files or Information Bisonal‘s DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.12
enterprise T1027.001 Binary Padding Bisonal has appended random binary data to the end of itself to generate a large binary.2
enterprise T1027.002 Software Packing Bisonal has used the MPRESS packer and similar tools for obfuscation.2
enterprise T1137 Office Application Startup -
enterprise T1137.006 Add-ins Bisonal has been loaded through a .wll extension added to the %APPDATA%\microsoft\word\startup\ repository.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Bisonal has been delivered as malicious email attachments.2
enterprise T1057 Process Discovery Bisonal can obtain a list of running processes on the victim’s machine.132
enterprise T1090 Proxy Bisonal has supported use of a proxy server.2
enterprise T1012 Query Registry Bisonal has used the RegQueryValueExA function to retrieve proxy information in the Registry.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\”vert” = “rundll32.exe c:\windows\temp\pvcu.dll , Qszdez”.1
enterprise T1082 System Information Discovery Bisonal has used commands and API calls to gather system information.132
enterprise T1016 System Network Configuration Discovery Bisonal can execute ipconfig on the victim’s machine.132
enterprise T1124 System Time Discovery Bisonal can check the system time set on the infected host.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails.2
enterprise T1497 Virtualization/Sandbox Evasion Bisonal can check to determine if the compromised system is running on VMware.2
enterprise T1497.003 Time Based Evasion Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.32

Groups That Use This Software

ID Name References
G0131 Tonto Team 342