1. Home
  2. Software
  3. Bankshot

Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [1]

ID: S0239
Associated Software: Trojan Manuscript
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Trojan Manuscript

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Bankshot collects files from the local system.[1]
Enterprise T1112 修改注册表

Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.[2]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Bankshot can terminate a specific process by its process id.[1][2]
Enterprise T1140 反混淆/解码文件或信息

Bankshot decodes embedded XOR strings.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Bankshot uses the command-line interface to execute arbitrary commands.[1][2]
Enterprise T1203 客户端执行漏洞利用

Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Bankshot uses HTTP for command and control communication.[1]
Enterprise T1001 .003 数据混淆: Protocol or Service Impersonation

Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.[3]
Enterprise T1132 .002 数据编码: Non-Standard Encoding

Bankshot encodes commands from the control server using a range of characters and gzip.[1]
Enterprise T1083 文件和目录发现

Bankshot searches for files on the victim's machine.[2]
Enterprise T1106 本机API

Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[1]
Enterprise T1012 查询注册表

Bankshot searches for certain Registry keys to be configured before executing the payload.[2]
Enterprise T1070 移除指标

Bankshot deletes all artifacts associated with the malware from the infected machine.[2]
.004 File Deletion

Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.[1]
.006 Timestomp

Bankshot modifies the time of a file as specified by the control server.[1]
Enterprise T1082 系统信息发现

Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.[1][2]
Enterprise T1119 自动化收集

Bankshot recursively generates a list of files within a directory and sends them back to the control server.[1]
Enterprise T1134 .002 访问令牌操控: Create Process with Token

Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.[1]
Enterprise T1087 .001 账号发现: Local Account

Bankshot gathers domain and account names/information through process monitoring.[1]
.002 账号发现: Domain Account

Bankshot gathers domain and account names/information through process monitoring.[1]
Enterprise T1105 输入工具传输

Bankshot uploads files and secondary payloads to the victim's machine.[2]
Enterprise T1057 进程发现

Bankshot identifies processes and collects the process ids.[1]
Enterprise T1041 通过C2信道渗出

Bankshot exfiltrates data over its C2 channel.[1]
Enterprise T1571 非标准端口

Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.[2]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  2. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  1. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved August 15, 2024.