1. Home
  2. Software
  3. Bisonal

Bisonal

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.[1][2]

ID: S0268
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 17 October 2018
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

Bisonal has collected information from a compromised host.[2]

Enterprise T1090 代理

Bisonal has supported use of a proxy server.[2]
Enterprise T1036 伪装

Bisonal dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script.[2]

.005 Match Legitimate Name or Location

Bisonal has renamed malicious code to msacm32.dll to hide within a legitimate library; earlier versions were disguised as winhelp.[2]

Enterprise T1112 修改注册表

Bisonal has deleted Registry keys to clean up its prior activity.[2]

Enterprise T1543 .003 创建或修改系统进程: Windows Service

Bisonal has been modified to be used as a Windows service.[2]

Enterprise T1137 .006 办公应用启动: Add-ins

Bisonal has been loaded through a .wll extension added to the %APPDATA%\microsoft\word\startup\ repository.[2]

Enterprise T1573 .001 加密通道: Symmetric Cryptography

Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.[1][3][2]

Enterprise T1568 动态解析

Bisonal has used a dynamic DNS service for C2.[2]
Enterprise T1140 反混淆/解码文件或信息

Bisonal has decoded strings in the malware using XOR and RC4.[1][2]

Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Bisonal has added itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\ for persistence.[1][2]

Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.[1][3][2]
.005 命令与脚本解释器: Visual Basic

Bisonal's dropper creates VBS scripts on the victim’s machine.[1][2]

Enterprise T1071 .001 应用层协议: Web Protocols

Bisonal has used HTTP for C2 communications.[1][3]
Enterprise T1132 .001 数据编码: Standard Encoding

Bisonal has encoded binary data with Base64 and ASCII.[3][2]

Enterprise T1083 文件和目录发现

Bisonal can retrieve a file listing from the system.[3][2]

Enterprise T1106 本机API

Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.[2]
Enterprise T1012 查询注册表

Bisonal has used the RegQueryValueExA function to retrieve proxy information in the Registry.[2]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

Bisonal has appended random binary data to the end of itself to generate a large binary.[2]

.002 混淆文件或信息: Software Packing

Bisonal has used the MPRESS packer and similar tools for obfuscation.[2]

.013 混淆文件或信息: Encrypted/Encoded File

Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.[1][2]
Enterprise T1204 .002 用户执行: Malicious File

Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails.[2]

Enterprise T1070 .004 移除指标: File Deletion

Bisonal will delete its dropper and VBS scripts from the victim’s machine.[1][3][2]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez".[1]
Enterprise T1082 系统信息发现

Bisonal has used commands and API calls to gather system information.[1][3][2]
Enterprise T1124 系统时间发现

Bisonal can check the system time set on the infected host.[3]
Enterprise T1016 系统网络配置发现

Bisonal can execute ipconfig on the victim’s machine.[1][3][2]

Enterprise T1497 虚拟化/沙盒规避

Bisonal can check to determine if the compromised system is running on VMware.[2]
.003 Time Based Evasion

Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.[3][2]

Enterprise T1105 输入工具传输

Bisonal has the capability to download files to execute on the victim’s machine.[1][3][2]

Enterprise T1057 进程发现

Bisonal can obtain a list of running processes on the victim’s machine.[1][3][2]
Enterprise T1041 通过C2信道渗出

Bisonal has added the exfiltrated data to the URL over the C2 channel.[2]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Bisonal has been delivered as malicious email attachments.[2]

Enterprise T1095 非应用层协议

Bisonal has used raw sockets for network communication.[2]

Groups That Use This Software

ID Name References
G0131 Tonto Team

[3][4][2]

References

  1. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  2. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  1. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  2. Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021.