S0470 BBK
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.1
| Item | Value |
|---|---|
| ID | S0470 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 June 2020 |
| Last Modified | 24 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BBK has the ability to use HTTP in communications with C2.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BBK has the ability to decrypt AES encrypted payloads.1 |
| enterprise | T1105 | Ingress Tool Transfer | BBK has the ability to download files from C2 to the infected host.1 |
| enterprise | T1106 | Native API | BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.003 | Steganography | BBK can extract a malicious Portable Executable (PE) from a photo.1 |
| enterprise | T1055 | Process Injection | BBK has the ability to inject shellcode into svchost.exe.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0060 | BRONZE BUTLER | 1 |