Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [1]

ID: S0239
Associated Software: Trojan Manuscript

Platforms: Windows

Version: 1.0

Associated Software Descriptions

Trojan Manuscript[1]

Techniques Used

EnterpriseT1134Access Token ManipulationBankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.[1]
EnterpriseT1087Account DiscoveryBankshot gathers domain and account names/information through process monitoring.[1]
EnterpriseT1119Automated CollectionBankshot recursively generates a list of files within a directory and sends them back to the control server.[1]
EnterpriseT1059Command-Line InterfaceBankshot uses the command-line interface to execute arbitrary commands.[1][2]
EnterpriseT1132Data EncodingBankshot encodes commands from the control server using a range of characters and gzip.[1]
EnterpriseT1005Data from Local SystemBankshot collects files from the local system.[1]
EnterpriseT1001Data ObfuscationBankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationBankshot decodes embedded XOR strings.[2]
EnterpriseT1106Execution through APIBankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelBankshot exfiltrates data over its C2 channel.[1]
EnterpriseT1203Exploitation for Client ExecutionBankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.[1]
EnterpriseT1083File and Directory DiscoveryBankshot searches for files on the victim's machine.[2]
EnterpriseT1107File DeletionBankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.[1]
EnterpriseT1070Indicator Removal on HostBankshot delets all artifacts associated with the malware from the infected machine.[2]
EnterpriseT1031Modify Existing ServiceBankshot can terminate a specific process by its process id.[1][2]
EnterpriseT1112Modify RegistryBankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.[2]
EnterpriseT1057Process DiscoveryBankshot identifies processes and collects the process ids.[1]
EnterpriseT1012Query RegistryBankshot searches for certain Registry keys to be configured before executing the payload.[2]
EnterpriseT1105Remote File CopyBankshot uploads files and secondary payloads to the victim's machine.[2]
EnterpriseT1071Standard Application Layer ProtocolBankshot uses HTTP for command and control communication.[1]
EnterpriseT1082System Information DiscoveryBankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.[1][2]
EnterpriseT1099TimestompBankshot modifies the time of a file as specified by the control server.[1]
EnterpriseT1065Uncommonly Used PortBankshot binds and listens on port 1058.[2]


Groups that use this software:

Lazarus Group