Bankshot
Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [1]
ID: S0239
Associated Software: Trojan Manuscript
Type: MALWARE
Platforms: Windows
Version: 1.0
Associated Software Descriptions
| Name | Description |
|---|---|
| Trojan Manuscript | [1] |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1134 | Access Token Manipulation | Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user. [1] |
| Enterprise | T1087 | Account Discovery | Bankshot gathers domain and account names/information through process monitoring. [1] |
| Enterprise | T1119 | Automated Collection | Bankshot recursively generates a list of files within a directory and sends them back to the control server. [1] |
| Enterprise | T1059 | Command-Line Interface | Bankshot uses the command-line interface to execute arbitrary commands. [1] [2] |
| Enterprise | T1132 | Data Encoding | Bankshot encodes commands from the control server using a range of characters and gzip. [1] |
| Enterprise | T1005 | Data from Local System | Bankshot collects files from the local system. [1] |
| Enterprise | T1001 | Data Obfuscation | Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications. [2] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Bankshot decodes embedded XOR strings. [2] |
| Enterprise | T1106 | Execution through API | Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA(). [1] |
| Enterprise | T1041 | Exfiltration Over Command and Control Channel | Bankshot exfiltrates data over its C2 channel. [1] |
| Enterprise | T1203 | Exploitation for Client Execution | Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines. [1] |
| Enterprise | T1083 | File and Directory Discovery | Bankshot searches for files on the victim's machine. [2] |
| Enterprise | T1107 | File Deletion | Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system. [1] |
| Enterprise | T1070 | Indicator Removal on Host | Bankshot delets all artifacts associated with the malware from the infected machine. [2] |
| Enterprise | T1031 | Modify Existing Service | Bankshot can terminate a specific process by its process id. [1] [2] |
| Enterprise | T1112 | Modify Registry |
Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.
[2]
|
| Enterprise | T1057 | Process Discovery | Bankshot identifies processes and collects the process ids. [1] |
| Enterprise | T1012 | Query Registry | Bankshot searches for certain Registry keys to be configured before executing the payload. [2] |
| Enterprise | T1105 | Remote File Copy | Bankshot uploads files and secondary payloads to the victim's machine. [2] |
| Enterprise | T1071 | Standard Application Layer Protocol | Bankshot uses HTTP for command and control communication. [1] |
| Enterprise | T1082 | System Information Discovery | Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version. [1] [2] |
| Enterprise | T1099 | Timestomp | Bankshot modifies the time of a file as specified by the control server. [1] |
| Enterprise | T1065 | Uncommonly Used Port | Bankshot binds and listens on port 1058. [2] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | [1] |