BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. [1] [2]

ID: G0060
Version: 1.0

Associated Group Descriptions

Tick[1] [3]

Techniques Used

EnterpriseT1087Account DiscoveryBRONZE BUTLER has used net user /domain to identify account information.[2]
EnterpriseT1009Binary PaddingBRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.[2]
EnterpriseT1088Bypass User Account ControlBRONZE BUTLER malware xxmm contains a UAC bypass tool for privilege escalation.[2]
EnterpriseT1059Command-Line InterfaceBRONZE BUTLER uses the command-line interface.[2]
EnterpriseT1003Credential DumpingBRONZE BUTLER has used various tools to perform credential dumping.[2]
EnterpriseT1024Custom Cryptographic ProtocolBRONZE BUTLER has used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.[2]
EnterpriseT1002Data CompressedBRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.[2]
EnterpriseT1132Data EncodingSeveral BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.[2]
EnterpriseT1022Data EncryptedBRONZE BUTLER has compressed and encrypted data into password-protected RAR archives prior to exfiltration.[2]
EnterpriseT1005Data from Local SystemBRONZE BUTLER has exfiltrated files stolen from local systems.[2]
EnterpriseT1039Data from Network Shared DriveBRONZE BUTLER has exfiltrated files stolen from file shares.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationBRONZE BUTLER downloads encoded payloads and decodes them on the victim.[2]
EnterpriseT1189Drive-by CompromiseBRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.[3]
EnterpriseT1203Exploitation for Client ExecutionBRONZE BUTLER has exploited Microsoft Word vulnerability CVE-2014-4114 for execution.[3]
EnterpriseT1083File and Directory DiscoveryBRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.[2]
EnterpriseT1107File DeletionThe BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.[2]
EnterpriseT1036MasqueradingBRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[2]
EnterpriseT1097Pass the TicketBRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.[2]
EnterpriseT1086PowerShellBRONZE BUTLER has used PowerShell for execution.[2]
EnterpriseT1060Registry Run Keys / Startup FolderBRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.[2]
EnterpriseT1105Remote File CopyBRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[2]
EnterpriseT1018Remote System DiscoveryBRONZE BUTLER typically use ping and Net to enumerate systems.[2]
EnterpriseT1053Scheduled TaskBRONZE BUTLER has used at and schtasks to register a scheduled task to execute malware during lateral movement.[2]
EnterpriseT1113Screen CaptureBRONZE BUTLER has used a tool to capture screenshots.[2]
EnterpriseT1064ScriptingBRONZE BUTLER has used VBS, VBE, and batch scripts for execution.[2]
EnterpriseT1193Spearphishing AttachmentBRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.[3]
EnterpriseT1071Standard Application Layer ProtocolBRONZE BUTLER malware has used HTTP for C2.[2]
EnterpriseT1032Standard Cryptographic ProtocolBRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic.[2]
EnterpriseT1124System Time DiscoveryBRONZE BUTLER has used net time to check the local time on a target system.[2]
EnterpriseT1204User ExecutionBRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.[3]
EnterpriseT1102Web ServiceBRONZE BUTLER's MSGET downloader uses a dead drop resolver to access malicious payloads.[2]


S0110at[2]Scheduled Task
S0106cmd[2]Command-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0187Daserf[1][3]Code Signing, Command-Line Interface, Credential Dumping, Data Compressed, Data Encoding, Data Encrypted, Data Obfuscation, Indicator Removal from Tools, Input Capture, Masquerading, Obfuscated Files or Information, Remote File Copy, Screen Capture, Software Packing, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0008gsecdump[2][3]Credential Dumping
S0002Mimikatz[2][3]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039Net[2]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0111schtasks[2]Scheduled Task
S0005Windows Credential Editor[2][3]Credential Dumping