Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. ^[1]

ID: S0239

Associated Software: Trojan Manuscript

Type: MALWARE

Platforms: Windows

Version: 1.0

Associated Software Descriptions

Name	Description
Trojan Manuscript	^[1]

Techniques Used

Domain	ID	Name	Use
Enterprise	T1134	Access Token Manipulation	Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.^[1]
Enterprise	T1087	Account Discovery	Bankshot gathers domain and account names/information through process monitoring.^[1]
Enterprise	T1119	Automated Collection	Bankshot recursively generates a list of files within a directory and sends them back to the control server.^[1]
Enterprise	T1059	Command-Line Interface	Bankshot uses the command-line interface to execute arbitrary commands.^[1]^[2]
Enterprise	T1132	Data Encoding	Bankshot encodes commands from the control server using a range of characters and gzip.^[1]
Enterprise	T1005	Data from Local System	Bankshot collects files from the local system.^[1]
Enterprise	T1001	Data Obfuscation	Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.^[2]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Bankshot decodes embedded XOR strings.^[2]
Enterprise	T1106	Execution through API	Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().^[1]
Enterprise	T1041	Exfiltration Over Command and Control Channel	Bankshot exfiltrates data over its C2 channel.^[1]
Enterprise	T1203	Exploitation for Client Execution	Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.^[1]
Enterprise	T1083	File and Directory Discovery	Bankshot searches for files on the victim's machine.^[2]
Enterprise	T1107	File Deletion	Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.^[1]
Enterprise	T1070	Indicator Removal on Host	Bankshot delets all artifacts associated with the malware from the infected machine.^[2]
Enterprise	T1031	Modify Existing Service	Bankshot can terminate a specific process by its process id.^[1]^[2]
Enterprise	T1112	Modify Registry	Bankshot writes data into the Registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj`.^[2]
Enterprise	T1057	Process Discovery	Bankshot identifies processes and collects the process ids.^[1]
Enterprise	T1012	Query Registry	Bankshot searches for certain Registry keys to be configured before executing the payload.^[2]
Enterprise	T1105	Remote File Copy	Bankshot uploads files and secondary payloads to the victim's machine.^[2]
Enterprise	T1071	Standard Application Layer Protocol	Bankshot uses HTTP for command and control communication.^[1]
Enterprise	T1082	System Information Discovery	Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.^[1]^[2]
Enterprise	T1099	Timestomp	Bankshot modifies the time of a file as specified by the control server.^[1]
Enterprise	T1065	Uncommonly Used Port	Bankshot binds and listens on port 1058.^[2]

Groups That Use This Software

ID	Name	References
G0032	Lazarus Group	^[1]

References

Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.

US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.

Bankshot

Associated Software Descriptions

Enterprise Layer

Techniques Used

Groups That Use This Software

References