Bisonal
Bisonal is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Bisonal adds itself to the Registry key |
| Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
Bisonal's dropper creates VBS scripts on the victim’s machine.[1] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Bisonal can launch cmd.exe to execute commands on the system.[1] |
||
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Bisonal decodes strings in the malware using XOR and RC4.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.[1] |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Bisonal deletes its dropper and VBS scripts from the victim’s machine.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
Bisonal has the capability to download files to execute on the victim’s machine.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Bisonal's DLL file and non-malicious decoy file are encrypted with RC4.[1] |
|
| Enterprise | T1057 | Process Discovery |
Bisonal can obtain a list of running processes on the victim’s machine.[1] |
|
| Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: |
| Enterprise | T1082 | System Information Discovery |
Bisonal has a command to gather system information from the victim’s machine.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery | ||