BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. [1]

ID: S0127
Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1043Commonly Used PortBBSRAT uses HTTP TCP port 80 and HTTPS TCP port 443 for communications.[1]
EnterpriseT1122Component Object Model HijackingBBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList {42aedc87-2188-41fd-b9a3-0c966feabec1} or Microsoft WBEM New Event Subsystem {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} depending on the system's CPU architecture.[1]
EnterpriseT1024Custom Cryptographic ProtocolBBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.[1]
EnterpriseT1002Data CompressedBBSRAT can compress data with ZLIB prior to sending it back to the C2 server.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationBBSRAT uses Expand to decompress a CAB file into executable content.[1]
EnterpriseT1073DLL Side-LoadingDLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.[1]
EnterpriseT1083File and Directory DiscoveryBBSRAT can list file and directory information.[1]
EnterpriseT1107File DeletionBBSRAT can delete files and directories.[1]
EnterpriseT1031Modify Existing ServiceBBSRAT can modify service configurations.[1]
EnterpriseT1057Process DiscoveryBBSRAT can list running processes.[1]
EnterpriseT1093Process HollowingBBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.[1]
EnterpriseT1060Registry Run Keys / Startup FolderBBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe.
EnterpriseT1035Service ExecutionBBSRAT can start, stop, or delete services.[1]
EnterpriseT1071Standard Application Layer ProtocolBBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.[1]
EnterpriseT1007System Service DiscoveryBBSRAT can query service configuration information.[1]