Skip to content

S0470 BBK

BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.1

Item Value
ID S0470
Associated Names
Version 1.0
Created 10 June 2020
Last Modified 24 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BBK has the ability to use HTTP in communications with C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information BBK has the ability to decrypt AES encrypted payloads.1
enterprise T1105 Ingress Tool Transfer BBK has the ability to download files from C2 to the infected host.1
enterprise T1106 Native API BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography BBK can extract a malicious Portable Executable (PE) from a photo.1
enterprise T1055 Process Injection BBK has the ability to inject shellcode into svchost.exe.1

Groups That Use This Software

ID Name References